Security
Headlines
HeadlinesLatestCVEs

Headline

Debian Security Advisory 5507-1

Debian Linux Security Advisory 5507-1 - Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine.

Packet Storm
#vulnerability#web#linux#debian#js#java#auth

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Debian Security Advisory DSA-5507-1 [email protected]
https://www.debian.org/security/ Markus Koschany
September 28, 2023 https://www.debian.org/security/faq


Package : jetty9
CVE ID : CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167
CVE-2023-41900

Multiple security vulnerabilities were found in Jetty, a Java based web server
and servlet engine.

The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
instead. See also CVE-2023-36479.

CVE-2023-26048

In affected versions servlets with multipart support (e.g. annotated with  
`@MultipartConfig`) that call `HttpServletRequest.getParameter()` or  
`HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the  
client sends a multipart request with a part that has a name but no  
filename and very large content. This happens even with the default  
settings of `fileSizeThreshold=0` which should stream the whole part  
content to disk.

CVE-2023-26049

Nonstandard cookie parsing in Jetty may allow an attacker to smuggle  
cookies within other cookies, or otherwise perform unintended behavior by  
tampering with the cookie parsing mechanism.

CVE-2023-40167

Prior to this version Jetty accepted the `+` character proceeding the  
content-length value in a HTTP/1 header field. This is more permissive than  
allowed by the RFC and other servers routinely reject such requests with  
400 responses. There is no known exploit scenario, but it is conceivable  
that request smuggling could result if jetty is used in combination with a  
server that does not close the connection after sending such a 400  
response.

CVE-2023-36479

Users of the CgiServlet with a very specific command structure may have the  
wrong command executed. If a user sends a request to a  
org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its  
name, the servlet will escape the command by wrapping it in quotation  
marks. This wrapped command, plus an optional command prefix, will then be  
executed through a call to Runtime.exec. If the original binary name  
provided by the user contains a quotation mark followed by a space, the  
resulting command line will contain multiple tokens instead of one.

CVE-2023-41900

Jetty is vulnerable to weak authentication. If a Jetty  
`OpenIdAuthenticator` uses the optional nested `LoginService`, and that  
`LoginService` decides to revoke an already authenticated user, then the  
current request will still treat the user as authenticated. The  
authentication is then cleared from the session and subsequent requests  
will not be treated as authenticated. So a request on a previously  
authenticated session could be allowed to bypass authentication after it  
had been rejected by the `LoginService`. This impacts usages of the  
jetty-openid which have configured a nested `LoginService` and where that  
`LoginService` is capable of rejecting previously authenticated users.

For the oldstable distribution (bullseye), these problems have been fixed
in version 9.4.39-3+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in
version 9.4.50-4+deb12u1.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUV6x5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTJGw//a9ZVCC9qHUG/KfAkJJs27UGuL4T1hRM5Azu+8jFxMHwuqKf62FCWlGUE
xM9fwQdUDvfkSBsrGlp+nAwqegOh+YBvAxh6DBdMpEYhZ+wUDLwZaPdR5iTj7q2e
JpjKs1hp7QRDfguL6+T/sJmMx9zk7soDwqd3QEjBXBhuYhlVfq7Wm4v5STKj28pD
Yjv6YmLKIHTv9/HaUWNDCFUjyRGZjmAvYVAIF3gNo9Qn2agq4z3+1Z2EPX4+qbVq
pp+JKr/vVSVHltaR1D0JyC5zjrHOo+dRFWYwG7K/V7kijyIbciNACTe/W2v6hM6F
w+0+8C7TMbof22nOHVcgBygukIvxdvnG6BQUUQaVeE36wi8cvBSVgTe0NJb0NIQt
Gr37tlG+9kJy9d02I+hgX8U90aWmaofTJsn3YbAL6wv2r7Klm6LJN6p8oAmqfEM6
IOOii4JpHaRDz1VQsjskhjw7Q1UigVX6lmx6BfPHzG2BFSe8v5vG+6OvH4oF+Egy
VTF3U/lvXcdqaZyNnCKn4NWLJZHVYE4ncgdDp8qomJXnDoMy6V9+DEDADiu9C2ox
4YvtBHVIZ1uYBRRDjutJw0dkKa7QotSlkmVnAV+oqHa1/Dp2Cytjb+rRhp83QLEw
kfBWYLpFIq9ARI08AyK4hzX27FFf3ojHp++Lau8ODwb/4s9bKE0=j7dG
-----END PGP SIGNATURE-----

Related news

Red Hat Security Advisory 2024-3989-03

Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3919-03

Red Hat Security Advisory 2024-3919-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include denial of service and spoofing vulnerabilities.

Red Hat Security Advisory 2024-3354-03

Red Hat Security Advisory 2024-3354-03 - Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include HTTP request smuggling, bypass, denial of service, deserialization, and traversal vulnerabilities.

Red Hat Security Advisory 2024-2010-03

Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.

Red Hat Security Advisory 2024-0804-03

Red Hat Security Advisory 2024-0804-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-0801-03

Red Hat Security Advisory 2024-0801-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-0800-03

Red Hat Security Advisory 2024-0800-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-0798-03

Red Hat Security Advisory 2024-0798-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-0797-03

Red Hat Security Advisory 2024-0797-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include HTTP request smuggling, buffer overflow, denial of service, and memory leak vulnerabilities.

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

Red Hat Security Advisory 2023-7697-03

Red Hat Security Advisory 2023-7697-03 - An update is now available for Red Hat AMQ Clients. Issues addressed include code execution, denial of service, deserialization, and resource exhaustion vulnerabilities.

Red Hat Security Advisory 2023-7678-03

Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.

Red Hat Security Advisory 2023-7641-03

Red Hat Security Advisory 2023-7641-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7639-03

Red Hat Security Advisory 2023-7639-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7638-03

Red Hat Security Advisory 2023-7638-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7637-03

Red Hat Security Advisory 2023-7637-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5946-01

Red Hat Security Advisory 2023-5946-01 - Red Hat AMQ Broker 7.11.3 is now available from the Red Hat Customer Portal. Issues addressed include denial of service and open redirection vulnerabilities.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Red Hat Security Advisory 2023-5780-01

Red Hat Security Advisory 2023-5780-01 - A security update for Camel Extensions for Quarkus 2.13.3 is now available. The purpose of this text-only erratum is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.

CVE-2023-30994: Security Bulletin: IBM QRadar SIEM includes components with known vulnerabilities

IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 254138

RHSA-2023:5441: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update

Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-44729: A flaw was found in Apache Batik 1.0 - 1.16. This issue occurs due to a malicious SVG triggering external resources loading by default, causing resource consumption or in some cases information disclosure. * CVE-2022-44730: A flaw was found in Apache Batik, where a malicious SVG can probe user profile data and send it directly as ...

CVE-2023-41900: Bring back some openid improvements from 10.0.x to 9.4.x by lachlan-roberts · Pull Request #9660 · eclipse/jetty.project

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

CVE-2023-40167: RFC 9110: HTTP Semantics

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

CVE-2023-36479: Errant command quoting in `org.eclipse.jetty.servlets.CGI` Servlet

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Red Hat Security Advisory 2023-5165-01

Red Hat Security Advisory 2023-5165-01 - Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Issues addressed include code execution, denial of service, deserialization, and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-5165-01

Red Hat Security Advisory 2023-5165-01 - Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Issues addressed include code execution, denial of service, deserialization, and integer overflow vulnerabilities.

GHSA-pwh8-58vv-vw48: Jetty's OpenId Revoked authentication allows one request

If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. ### Impact This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. ### Original Report > working on a custom OpenIdAuthenticator, I discovered the following: > > https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505 > > In the case where the LoginService does return that the authentication has been rev...

GHSA-hmr7-m48g-48f6: Jetty accepts "+" prefixed value in Content-Length

### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts "+" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the...

GHSA-3gh6-v5v9-6v9j: Jetty vulnerable to errant command quoting in CgiServlet

If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" ")) execCmd = "\"" + execCmd + "\""; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a r...

RHSA-2023:5165: Red Hat Security Advisory: Red Hat AMQ Streams 2.5.0 release and security update

Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service. * CVE-2021-37137: A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a speciall...

RHSA-2023:5165: Red Hat Security Advisory: Red Hat AMQ Streams 2.5.0 release and security update

Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service. * CVE-2021-37137: A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a speciall...

CVE-2023-32338: Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text which can be read by a local user with container access. IBM X-Force ID: 255585.

CVE-2023-32338: Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

IBM Sterling Secure Proxy and IBM Sterling External Authentication Server 6.0.3 and 6.1.0 stores user credentials in plain clear text which can be read by a local user with container access. IBM X-Force ID: 255585.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

GHSA-qw69-rqj8-6qw8: OutOfMemoryError for large multipart without filename in Eclipse Jetty

### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read...

GHSA-p26g-97m4-6q7c: Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies

Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by ...

CVE-2023-26049: Cookie parsing of quoted values can exfiltrate values from other cookies

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that polic...

CVE-2023-26048: servlet/servlet-spec-body.adoc at 6.0.0 · jakartaee/servlet

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still re...

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13