Multiple vulnerabilities were discovered in jetty9 which could result in HTTP request smuggling (CVE-2017-7656 CVE-2017-7657 CVE-2017-7658). What version of Jetty is in the v0.30.1 .jar?
I just executed OpenVAS on the latest version of Metabase and got this:
Summary
The host is installed with Eclipse Jetty
Server and is prone to security bypass vulnerability.
Detection Result
Installed version: 9.4
Fixed version: 9.4.11.v20180605
Installation
path / port: 3000/tcp
Would be nice to get more clarification on this.
@fabiolanza Recent versions of Metabase use Jetty version 9.4.15.v20190215 which is not vulnerable: https://github.com/metabase/metabase/blob/master/project.clj#L122
I suspect OpenVAS can’t determine Jetty’s exact version number.