The Eclipse Jetty project is announcing 2 Security Vulnerabilities for
The Eclipse Jetty Server project.
While these were fixed in the Jetty versions 11.0.14, 10.0.14, and 9.4.51,
we encourage folks that are upgrading to use 11.0.15, 10.0.15, and 9.4.51 instead.
CVE-2023-26049 : Cookie parsing of quoted values can exfiltrate values from other cookies
Severity (Low) 3.7 / 10
https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c Affected Jetty versions: <=9.4.50, <=10.013, <=11.0.13, <=12.0.0.alpha3
Patched Jetty versions: 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0
Reported by: @arxenix
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-1286 : Improper Validation of Syntactic Correctness of Input
CVE-2023-26048 : OutOfMemoryError for large multipart without filename read via request.getParameter()
Severity (Moderate) 5.3 / 10
https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8 Affected Jetty versions: <=9.4.50, <=10.0.13, <=11.0.13
Patched Jetty versions: 9.4.51, 10.0.14, 11.0.14
Reported by: @lachlan-roberts
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-404 : Improper Resource Shutdown or Release
CWE-770 : Allocation of Resources Without Limits or Throttling