CVE-2023-36479

Jetty vulnerable to errant command quoting in CGI Servlet

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Eclipse Jetty Canonical Repository es el repositorio canónico para el proyecto Jetty. Los usuarios de CgiServlet con una estructura de comando muy específica pueden ejecutar el comando incorrecto. Si un usuario envía una solicitud a un servlet org.eclipse.jetty.servlets.CGI para un binario con un espacio en su nombre, el servlet escapará del comando envolviéndolo entre comillas. Este comando empaquetado, más un prefijo de comando opcional, se ejecutará mediante una llamada a Runtime.exec. Si el nombre binario original proporcionado por el usuario contiene una comilla seguida de un espacio, la línea de comando resultante contendrá varios tokens en lugar de uno. Este problema se solucionó en las versiones 9.4.52, 10.0.16, 11.0.16 y 12.0.0-beta2.

A flaw was found in Jetty's CGI servlet which permits incorrect command execution in specific circumstances such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands other than the one requested.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-06-21 CVE Reserved
2023-09-15 CVE Published
2024-09-21 EPSS Updated
2024-09-25 CVE Updated
2024-09-25 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-149: Improper Neutralization of Quoting Syntax

CAPEC

References (8)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html	Mailing List
https://www.debian.org/security/2023/dsa-5507	Third Party Advisory

URL	Date	SRC
https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j	2024-09-25

URL	Date	SRC
https://github.com/eclipse/jetty.project/pull/9516	2023-10-16
https://github.com/eclipse/jetty.project/pull/9888	2023-10-16
https://github.com/eclipse/jetty.project/pull/9889	2023-10-16

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-36479	2024-06-20
https://bugzilla.redhat.com/show_bug.cgi?id=2239630	2024-06-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 9.0.0 < 9.4.52 Search vendor "Eclipse" for product "Jetty" and version " >= 9.0.0 < 9.4.52"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 10.0.0 < 10.0.16 Search vendor "Eclipse" for product "Jetty" and version " >= 10.0.0 < 10.0.16"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 11.0.0 < 11.0.16 Search vendor "Eclipse" for product "Jetty" and version " >= 11.0.0 < 11.0.16"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		alpha1		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		alpha2		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		alpha3		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		beta0		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		beta1		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected