Jetty 9 Vulnerabilities

Multiple vulnerabilities were discovered in jetty9 which could result in HTTP request smuggling (CVE-2017-7656 CVE-2017-7657 CVE-2017-7658). What version of Jetty is in the v0.30.1 .jar?


I just executed OpenVAS on the latest version of Metabase and got this:

The host is installed with Eclipse Jetty
Server and is prone to security bypass vulnerability.
Detection Result

Installed version: 9.4
Fixed version: 9.4.11.v20180605
path / port: 3000/tcp

Would be nice to get more clarification on this.

@fabiolanza Recent versions of Metabase use Jetty version 9.4.15.v20190215 which is not vulnerable:

I suspect OpenVAS can’t determine Jetty’s exact version number.