[jetty-users] Eclipse Jetty has published three Security Advisories.

Thu, 14 Sep 2023 09:35:00 -0700 

Jetty is announcing the publication of three Security Advisories.
Users are encouraged to update to the latest versions of their Jetty
installation.

*Jetty accepts "+" prefixed value in Content-Length*
  CVE: CVE-2023-40167
  Advisory: https://github.com/advisories/GHSA-hmr7-m48g-48f6
  Severity: Moderate (5.3) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  Weakness: CWE-130 - Improper Handling of Length Parameter Inconsistency
  Impacted Versions:
    org.eclipse.jetty:jetty-http  >= 9.0.0, <= 9.4.51
    org.eclipse.jetty:jetty-http  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty:jetty-http  >= 11.0.0, <= 11.0.15
    org.eclipse.jetty:jetty-http  <= 12.0.0
  Fixed Versions:
    9.4.52
    10.0.16
    11.0.16
    12.0.1

*Errant command quoting in `org.eclipse.jetty.servlets.CGI` Servlet*
  CVE: CVE-2023-40167
  Advisory: https://github.com/advisories/GHSA-3gh6-v5v9-6v9j
  Severity: Low severity (3.5) -
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
  Weakness: CVE-149 - Improper Neutralization of Quoting Syntax
  Impacted Versions:
    org.eclipse.jetty:jetty-servlets  >= 9.0.0, <= 9.4.51
    org.eclipse.jetty:jetty-servlets  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty:jetty-servlets  >= 11.0.0, <= 11.0.15
    org.eclipse.jetty.ee10:jetty-ee10-servlets  <= 12.0.0-beta1
    org.eclipse.jetty.ee8:jetty-ee8-servlets    <= 12.0.0-beta1
    org.eclipse.jetty.ee9:jetty-ee9-servlets    <= 12.0.0-beta1
  Fixed Versions:
    9.4.52 - deprecated
    10.0.16 - deprecated
    11.0.16 - deprecated
    12.0.0 - removed from codebase

*OpenId Revoked authentication allows one request*
  CVE: CVE-2023-41900
  Advisory:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
  Severity: Low (3.5) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
  Weakness: CVE-1390 - Weak Authentication
  Impacted Versions:
    org.eclipse.jetty:jetty-openid  >= 9.4.21, <= 9.4.51
    org.eclipse.jetty:jetty-openid  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty:jetty-openid  >= 11.0.0, <= 11.0.15
    jetty 12 not impacted
  Fixed Versions:
    9.4.52
    10.0.16
    11.0.16

Joakim Erdfelt / joa...@webtide.com

_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to