CVE-2023-26049 – Cookie parsing of quoted values can exfiltrate values from other cookies in Eclipse Jetty
https://notcve.org/view.php?id=CVE-2023-26049
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. • https://github.com/eclipse/jetty.project/pull/9339 https://github.com/eclipse/jetty.project/pull/9352 https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://security.netapp.com/advisory/ntap-20230526-0001 https://www.debian.org/security/2023/dsa-5507 https://www.rfc-editor.org/rfc/rfc2965 https://www.rfc-editor.org/rfc/rfc6265 https://access.redhat.com/security/cve/CVE-2023 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVE-2023-26048 – OutOfMemoryError for large multipart without filename in Eclipse Jetty
https://notcve.org/view.php?id=CVE-2023-26048
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. • https://github.com/eclipse/jetty.project/issues/9076 https://github.com/eclipse/jetty.project/pull/9344 https://github.com/eclipse/jetty.project/pull/9345 https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8 https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html https://security.netapp.com/advisory/ntap-20230526-0001 https://www. • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-0100
https://notcve.org/view.php?id=CVE-2023-0100
In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=580391 • CWE-20: Improper Input Validation •
CVE-2023-24815 – Disclosure of classpath resources on Windows when mounted on a wildcard route in vertx-web
https://notcve.org/view.php?id=CVE-2023-24815
Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: `return "/" + rest;` from `Utils.java` returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\` are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. • https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83 https://github.com/vert-x3/vertx-web/commit/9e3a783b1d1a731055e9049078b1b1494ece9c15 https://github.com/vert-x3/vertx-web/security/advisories/GHSA-53jx-vvf9-4x38 https://access.redhat.com/security/cve/CVE-2023-24815 https://bugzilla.redhat.com/show_bug.cgi?id=2209400 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-2712
https://notcve.org/view.php?id=CVE-2022-2712
In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code. En las versiones 5.1.0 a 6.2.5 de Eclipse GlassFish, existe una vulnerabilidad en relative path traversal porque no filtra la ruta de solicitud que comienza con './'. Una explotación exitosa podría permitir que un atacante remoto no autenticado acceda a datos críticos, como archivos de configuración y código fuente de aplicaciones implementadas. • https://bugs.eclipse.org/580502 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •