CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-41900 – Jetty's OpenId Revoked authentication allows one request
https://notcve.org/view.php?id=CVE-2023-41900
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. • https://github.com/eclipse/jetty.project/pull/9528 https://github.com/eclipse/jetty.project/pull/9660 https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48 https://security.netapp.com/advisory/ntap-20231110-0004 https://www.debian.org/security/2023/dsa-5507 https://access.redhat.com/security/cve/CVE-2023-41900 https://bugzilla.redhat.com/show_bug.cgi?id=2247052 • CWE-287: Improper Authentication CWE-1390: Weak Authentication •
CVE-2023-40167 – Jetty accepts "+" prefixed value in Content-Length
https://notcve.org/view.php?id=CVE-2023-40167
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. • https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6 https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://www.debian.org/security/2023/dsa-5507 https://www.rfc-editor.org/rfc/rfc9110#section-8.6 https://access.redhat.com/security/cve/CVE-2023-40167 https://bugzilla.redhat.com/show_bug.cgi?id=2239634 • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVE-2023-36479 – Jetty vulnerable to errant command quoting in CGI Servlet
https://notcve.org/view.php?id=CVE-2023-36479
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. • https://github.com/eclipse/jetty.project/pull/9516 https://github.com/eclipse/jetty.project/pull/9888 https://github.com/eclipse/jetty.project/pull/9889 https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://www.debian.org/security/2023/dsa-5507 https://access.redhat.com/security/cve/CVE-2023-36479 https://bugzilla.redhat.com/show_bug.cgi?id=2239630 • CWE-149: Improper Neutralization of Quoting Syntax •
CVE-2023-26049 – Cookie parsing of quoted values can exfiltrate values from other cookies in Eclipse Jetty
https://notcve.org/view.php?id=CVE-2023-26049
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. • https://github.com/eclipse/jetty.project/pull/9339 https://github.com/eclipse/jetty.project/pull/9352 https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://security.netapp.com/advisory/ntap-20230526-0001 https://www.debian.org/security/2023/dsa-5507 https://www.rfc-editor.org/rfc/rfc2965 https://www.rfc-editor.org/rfc/rfc6265 https://access.redhat.com/security/cve/CVE-2023 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-1286: Improper Validation of Syntactic Correctness of Input •