JetBrains Ktor
By the Year
In 2024 there have been 0 vulnerabilities in JetBrains Ktor . Last year Ktor had 4 security vulnerabilities published. Right now, Ktor is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 4 | 7.43 |
| 2022 | 4 | 5.05 |
| 2021 | 4 | 5.85 |
| 2020 | 2 | 7.00 |
| 2019 | 5 | 6.94 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Ktor vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Ktor Security Vulnerabilities
In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
CVE-2023-45612
9.8 - Critical
- October 09, 2023
In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
XXE
In JetBrains Ktor before 2.3.5 server certificates were not verified
CVE-2023-45613
9.1 - Critical
- October 09, 2023
In JetBrains Ktor before 2.3.5 server certificates were not verified
Improper Certificate Validation
In JetBrains Ktor before 2.3.1 headers containing authentication data could be added to the exception's message
CVE-2023-34339
3.3 - Low
- June 01, 2023
In JetBrains Ktor before 2.3.1 headers containing authentication data could be added to the exception's message
Generation of Error Message Containing Sensitive Information
In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
CVE-2022-48476
7.5 - High
- April 24, 2023
In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
Directory traversal
In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases
CVE-2022-38180
6.5 - Medium
- August 12, 2022
In JetBrains Ktor before 2.1.0 the wrong authentication provider could be selected in some cases
authentification
JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack
CVE-2022-38179
6.1 - Medium
- August 12, 2022
JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File Download attack
Incorrect Comparison
SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value
CVE-2022-29930
4.9 - Medium
- May 12, 2022
SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value. The issue was fixed in Ktor version 2.0.1.
Use of Insufficiently Random Values
In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations
CVE-2022-29035
2.7 - Low
- April 11, 2022
In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations
Use of Insufficiently Random Values
In JetBrains Ktor before 1.6.4
CVE-2021-43203
7.5 - High
- November 09, 2021
In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
authentification
In JetBrains Ktor before 1.4.2
CVE-2021-25763
5.3 - Medium
- February 03, 2021
In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by default.
Use of a Broken or Risky Cryptographic Algorithm
In JetBrains Ktor before 1.4.3
CVE-2021-25762
5.3 - Medium
- February 03, 2021
In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible.
HTTP Request Smuggling
In JetBrains Ktor before 1.5.0
CVE-2021-25761
5.3 - Medium
- February 03, 2021
In JetBrains Ktor before 1.5.0, a birthday attack on SessionStorage key was possible.
Inadequate Encryption Strength
In JetBrains Ktor before 1.4.1
CVE-2020-26129
6.5 - Medium
- November 16, 2020
In JetBrains Ktor before 1.4.1, HTTP request smuggling was possible.
HTTP Request Smuggling
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy
CVE-2020-5207
7.5 - High
- January 27, 2020
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.
HTTP Request Smuggling
JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting.
CVE-2019-19389
5.4 - Medium
- December 26, 2019
JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting.
Injection
In Ktor through 1.2.6, the client resends data
CVE-2019-19703
6.1 - Medium
- December 10, 2019
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
Open Redirect
UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.
CVE-2019-12737
5.3 - Medium
- October 02, 2019
UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.
Use of Password Hash With Insufficient Computational Effort
JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol
CVE-2019-12736
9.8 - Critical
- October 02, 2019
JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol, leading to command injection.
Command Injection
JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially
CVE-2019-10102
8.1 - High
- July 03, 2019
JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.
Cleartext Transmission of Sensitive Information
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Ktor or by JetBrains? Click the Watch button to subscribe.
