CVE-2023-40167 – Jetty accepts "+" prefixed value in Content-Length
https://notcve.org/view.php?id=CVE-2023-40167
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. • https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6 https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://www.debian.org/security/2023/dsa-5507 https://www.rfc-editor.org/rfc/rfc9110#section-8.6 https://access.redhat.com/security/cve/CVE-2023-40167 https://bugzilla.redhat.com/show_bug.cgi?id=2239634 • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVE-2023-36479 – Jetty vulnerable to errant command quoting in CGI Servlet
https://notcve.org/view.php?id=CVE-2023-36479
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. • https://github.com/eclipse/jetty.project/pull/9516 https://github.com/eclipse/jetty.project/pull/9888 https://github.com/eclipse/jetty.project/pull/9889 https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://www.debian.org/security/2023/dsa-5507 https://access.redhat.com/security/cve/CVE-2023-36479 https://bugzilla.redhat.com/show_bug.cgi?id=2239630 • CWE-149: Improper Neutralization of Quoting Syntax •
CVE-2023-26049 – Cookie parsing of quoted values can exfiltrate values from other cookies in Eclipse Jetty
https://notcve.org/view.php?id=CVE-2023-26049
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. • https://github.com/eclipse/jetty.project/pull/9339 https://github.com/eclipse/jetty.project/pull/9352 https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://security.netapp.com/advisory/ntap-20230526-0001 https://www.debian.org/security/2023/dsa-5507 https://www.rfc-editor.org/rfc/rfc2965 https://www.rfc-editor.org/rfc/rfc6265 https://access.redhat.com/security/cve/CVE-2023 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVE-2023-26048 – OutOfMemoryError for large multipart without filename in Eclipse Jetty
https://notcve.org/view.php?id=CVE-2023-26048
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. • https://github.com/eclipse/jetty.project/issues/9076 https://github.com/eclipse/jetty.project/pull/9344 https://github.com/eclipse/jetty.project/pull/9345 https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8 https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://security.netapp.com/advisory/ntap-20230526-0001 https://www. • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-2047 – jetty-http: improver hostname input handling
https://notcve.org/view.php?id=CVE-2022-2047
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. En Eclipse Jetty versiones 9.4.0 hasta 9.4.46, y 10.0.0 hasta 10.0.9, y 11.0.0 hasta 11.0.9, el análisis sintáctico del segmento de autoridad de un URI de esquema http, la clase Jetty HttpURI detecta inapropiadamente una entrada no válida como nombre de host. Esto puede conllevar a fallos en un escenario Proxy A flaw was found in Eclipse Jetty. When parsing the authority segment of an HTTP scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. • https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html https://security.netapp.com/advisory/ntap-20220901-0006 https://www.debian.org/security/2022/dsa-5198 https://access.redhat.com/security/cve/CVE-2022-2047 https://bugzilla.redhat.com/show_bug.cgi?id=2116949 • CWE-20: Improper Input Validation •