Jetty Security Notice Overview

CData is aware of a potential security issue with the Jetty embedded webserver (versions as high as 10.0.20, 11.0.20, and 12.0.7).

Date Entered: 03/25/2024    Last Updated: 03/26/2024

Eclipse Jetty Embedded Webserver Security Overview

A security issue has been identified that affects customers of CData products, including CData API Server, CData Arc (ArcESB), CData Connect (On-prem), and CData Sync. This security issue applies to customers who are running the Java Edition of these products and using Jetty (the default embedded Web Server). If you are running the .NET installation or using another servlet container like Tomcat as the web server, you can ignore this notification.


A security vulnerability has been identified that could allow a malicious actor to bypass application authentication when accessing specific endpoints that usually require authentication. CData was made aware of this vulnerability when hosted in Eclipse Jetty via an established third-party security firm as part of a broader notice. At this time, we are unaware of any compromised customer installations.

A successful exploit of this vulnerability would require:

  • An attacker to possess knowledge of the application's backend endpoints.
  • An attacker to craft requests in a special way to cause the web server to trigger a path traversal.
  • The application being hosted in Jetty (versions as high as 10.0.20, 11.0.20, and 12.0.7).


Our engineering and security teams have worked to provide software updates that eliminate this issue. If you use one of the applications in this notice, please upgrade to the latest release.

CData API Server:
(version: 23.4.8844+)
CData Arc (ArcESB):
(version: 23.4.8839+)
CData Connect:
(version: 23.4.8846+)
CData Sync:
(version: 23.4.8843+)

More info

The security firm Tenable discovered a path traversal vulnerability affecting the Java versions of CData products when hosted on Jetty, and has filed an official CVE notification. This is an important CVE notice with a risk score of 8.0+. Validation is pending NIST confirmation.

NVD Published Date  04/05/2024
CVE Dictionary Entries  CVE-2024-31848

We appreciate your feedback.  If you have any questions, comments, or suggestions about this entry, please contact our support team at