Jetty is announcing the publication of three Security Advisories.
Users are encouraged to update to the latest versions of their Jetty installation.
Jetty accepts "+" prefixed value in Content-Length CVE: CVE-2023-40167
Advisory:
https://github.com/advisories/GHSA-hmr7-m48g-48f6 Severity: Moderate (5.3) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weakness: CWE-130 - Improper Handling of Length Parameter Inconsistency
Impacted Versions:
org.eclipse.jetty:jetty-http >= 9.0.0, <= 9.4.51
org.eclipse.jetty:jetty-http >= 10.0.0, <= 10.0.15
org.eclipse.jetty:jetty-http >= 11.0.0, <= 11.0.15
org.eclipse.jetty:jetty-http <= 12.0.0
Fixed Versions:
9.4.52
10.0.16
11.0.16
12.0.1
Errant command quoting in `org.eclipse.jetty.servlets.CGI` Servlet CVE: CVE-2023-40167
Advisory:
https://github.com/advisories/GHSA-3gh6-v5v9-6v9j Severity: Low severity (3.5) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Weakness: CVE-149 - Improper Neutralization of Quoting Syntax
Impacted Versions:
org.eclipse.jetty:jetty-servlets >= 9.0.0, <= 9.4.51
org.eclipse.jetty:jetty-servlets >= 10.0.0, <= 10.0.15
org.eclipse.jetty:jetty-servlets >= 11.0.0, <= 11.0.15
org.eclipse.jetty.ee10:jetty-ee10-servlets <= 12.0.0-beta1
org.eclipse.jetty.ee8:jetty-ee8-servlets <= 12.0.0-beta1
org.eclipse.jetty.ee9:jetty-ee9-servlets <= 12.0.0-beta1
Fixed Versions:
9.4.52 - deprecated
10.0.16 - deprecated
11.0.16 - deprecated
12.0.0 - removed from codebase
OpenId Revoked authentication allows one request CVE: CVE-2023-41900
Advisory:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48 Severity: Low (3.5) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Weakness: CVE-1390 - Weak Authentication
Impacted Versions:
org.eclipse.jetty:jetty-openid >= 9.4.21, <= 9.4.51
org.eclipse.jetty:jetty-openid >= 10.0.0, <= 10.0.15
org.eclipse.jetty:jetty-openid >= 11.0.0, <= 11.0.15
jetty 12 not impacted
Fixed Versions:
9.4.52
10.0.16
11.0.16