CVE-2023-26048

OutOfMemoryError for large multipart without filename in Eclipse Jetty

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
RedHat

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

A flaw was found in the jetty-server package. A servlet with multipart support could get an OutOfMemorryError when the client sends a part that has a name but no filename and substantial content. This flaw allows a malicious user to jeopardize the environment by leaving the JVM in an unreliable state.

*Credits: N/A

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-02-17 CVE Reserved
2023-04-18 CVE Published
2024-07-23 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (10)

URL	Tag	Source
https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload	Technical Description
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
https://security.netapp.com/advisory/ntap-20230526-0001
https://www.debian.org/security/2023/dsa-5507

URL	Date	SRC

URL	Date	SRC
https://github.com/eclipse/jetty.project/issues/9076	2023-09-30
https://github.com/eclipse/jetty.project/pull/9344	2023-09-30
https://github.com/eclipse/jetty.project/pull/9345	2023-09-30

URL	Date	SRC
https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8	2023-09-30
https://access.redhat.com/security/cve/CVE-2023-26048	2024-05-28
https://bugzilla.redhat.com/show_bug.cgi?id=2236340	2024-05-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				< 9.4.51 Search vendor "Eclipse" for product "Jetty" and version " < 9.4.51"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 10.0.0 < 10.0.14 Search vendor "Eclipse" for product "Jetty" and version " >= 10.0.0 < 10.0.14"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 11.0.0 < 11.0.14 Search vendor "Eclipse" for product "Jetty" and version " >= 11.0.0 < 11.0.14"		-		Affected