Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-announce] Eclipse Jetty Security Advisories - April 2023

The Eclipse Jetty project is announcing 2 Security Vulnerabilities for
The Eclipse Jetty Server project.

While these were fixed in the Jetty versions 11.0.14, 10.0.14, and 9.4.51,
we encourage folks that are upgrading to use 11.0.15, 10.0.15, and 9.4.51 instead.

CVE-2023-26049 : Cookie parsing of quoted values can exfiltrate values from other cookies
   Severity (Low) 3.7 / 10
   https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
   Affected Jetty versions: <=9.4.50, <=10.013, <=11.0.13, <=12.0.0.alpha3
   Patched Jetty versions: 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0
   Reported by: @arxenix
   CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
   CWE-1286 : Improper Validation of Syntactic Correctness of Input


CVE-2023-26048 : OutOfMemoryError for large multipart without filename read via request.getParameter()
   Severity (Moderate) 5.3 / 10
   https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
   Affected Jetty versions: <=9.4.50, <=10.0.13, <=11.0.13
   Patched Jetty versions: 9.4.51, 10.0.14, 11.0.14
   Reported by: @lachlan-roberts
   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
   CWE-404 : Improper Resource Shutdown or Release
   CWE-770 : Allocation of Resources Without Limits or Throttling

Joakim Erdfelt / joakim@xxxxxxxxxxx

Back to the top