[jetty-dev] CVE-2024-13009 in EOL Jetty 9.4 - GzipHandler causes part of

[Joakim Erdfelt <joakim.erdfelt@xxxxxxxxx>]

GzipHandler causes part of request body to be seen as request body of a separate request

CVE: CVE-2024-13009 (tagged: Unsupported When Assigned)

CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Impacts: (EOL) org.eclipse.jetty.server:jetty-server  >=9.4.0,<=9.4.56

Patched: 9.4.57 (EOL) - available on Maven Central

Weakness: CWE-404 - Improper Resource Shutdown or Release

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.

See: https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5 for details.

Credits to: https://github.com/maimaisie (reporter), and their team: https://github.com/samjsong, https://github.com/lei-sumo, and https://github.com/nchudasmasumo

We encourage users of the EOL version of Jetty to upgrade to a supported version of Jetty as soon as possible, which as of today is Jetty 12.

If you are using `javax.servlet` for your webapp, you can continue to use `javax.servlet` by using the `ee8` environment on Jetty 12.

- Joakim Erdfelt