Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] Eclipse Jetty has published three Security Advisories.

Jetty is announcing the publication of three Security Advisories.
Users are encouraged to update to the latest versions of their Jetty installation.

Jetty accepts "+" prefixed value in Content-Length
  CVE: CVE-2023-40167
  Advisory: https://github.com/advisories/GHSA-hmr7-m48g-48f6
  Severity: Moderate (5.3) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  Weakness: CWE-130 - Improper Handling of Length Parameter Inconsistency
  Impacted Versions:
    org.eclipse.jetty:jetty-http  >= 9.0.0, <= 9.4.51
    org.eclipse.jetty:jetty-http  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty:jetty-http  >= 11.0.0, <= 11.0.15
    org.eclipse.jetty:jetty-http  <= 12.0.0
  Fixed Versions:
    9.4.52
    10.0.16
    11.0.16
    12.0.1

Errant command quoting in `org.eclipse.jetty.servlets.CGI` Servlet
  CVE: CVE-2023-40167
  Advisory: https://github.com/advisories/GHSA-3gh6-v5v9-6v9j
  Severity: Low severity (3.5) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
  Weakness: CVE-149 - Improper Neutralization of Quoting Syntax
  Impacted Versions:
    org.eclipse.jetty:jetty-servlets  >= 9.0.0, <= 9.4.51
    org.eclipse.jetty:jetty-servlets  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty:jetty-servlets  >= 11.0.0, <= 11.0.15
    org.eclipse.jetty.ee10:jetty-ee10-servlets  <= 12.0.0-beta1
    org.eclipse.jetty.ee8:jetty-ee8-servlets    <= 12.0.0-beta1
    org.eclipse.jetty.ee9:jetty-ee9-servlets    <= 12.0.0-beta1
  Fixed Versions:
    9.4.52 - deprecated
    10.0.16 - deprecated
    11.0.16 - deprecated
    12.0.0 - removed from codebase

OpenId Revoked authentication allows one request
  CVE: CVE-2023-41900
  Advisory: https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
  Severity: Low (3.5) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
  Weakness: CVE-1390 - Weak Authentication
  Impacted Versions:
    org.eclipse.jetty:jetty-openid  >= 9.4.21, <= 9.4.51
    org.eclipse.jetty:jetty-openid  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty:jetty-openid  >= 11.0.0, <= 11.0.15
    jetty 12 not impacted
  Fixed Versions:
    9.4.52
    10.0.16
    11.0.16

Joakim Erdfelt / joakim@xxxxxxxxxxx

Back to the top