Upgrade Jetty Webserver JAR

Hello together,

in the current JAR version of Metabase (0.31.1) there exist multiple vulnerabilities:

High (CVSS: 7.5)
NVT: Eclipse Jetty Server Fake Pipeline Request Security Bypass Vulnerability (OID:

Medium (CVSS: 5.0)
NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability (OID:

As mention the suggested solution is to upgrade it to the newest version. Could you please upgrade it during the next releases or is there a way to do it on our own without compiling the whole source code?

Furthermore is it possible to deactivate HTTP while HTTPS is used?

Thank you very much.

I’ve checked the config files in the Metabase JAR - seems it is on a non-vulnerable version: 9.4.11.v20180605. Can somebody confirm this?

Nevertheless the current version is 9.4.14.v20181114 - it might be time to upgrade to it as the last release the used release is from June 2018.