Upgrade Jetty Webserver JAR


#1

Hello together,

in the current JAR version of Metabase (0.31.1) there exist multiple vulnerabilities:

High (CVSS: 7.5)
NVT: Eclipse Jetty Server Fake Pipeline Request Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.813551)

Medium (CVSS: 5.0)
NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.813552)

As mention the suggested solution is to upgrade it to the newest version. Could you please upgrade it during the next releases or is there a way to do it on our own without compiling the whole source code?

Furthermore is it possible to deactivate HTTP while HTTPS is used?

Thank you very much.


#2

I’ve checked the config files in the Metabase JAR - seems it is on a non-vulnerable version: 9.4.11.v20180605. Can somebody confirm this?

Nevertheless the current version is 9.4.14.v20181114 - it might be time to upgrade to it as the last release the used release is from June 2018.

Greets