CVE-2019-17638

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.4.27.v20200227 through 9.4.29.v20200521

Description The issue is related to the handling of large response headers in Eclipse Jetty, which can lead to a situation where two threads acquire the same ByteBuffer from the pool. This can result in a client seeing data from another request or response, potentially containing sensitive information such as HTTP session IDs or authentication credentials.

Recommendations For Eclipse Jetty versions 9.4.27.v20200227 through 9.4.29.v20200521, consider configuring a responseHeaderSize significantly larger than the requestHeaderSize, such as 12KB responseHeaderSize and 8KB requestHeaderSize, to reduce the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.