CVE-2020-27223

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-27223
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-27223.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-27223
Aliases
Downstream
Related
Published
2021-02-26T22:15:19Z
Modified
2025-09-19T12:14:54.890303Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

References

Affected packages

Git / github.com/eclipse/jetty.project

Affected ranges

Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/jetty/jetty.project
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

PRE-MERGE-20120719-1138

jetty-7.*

jetty-7.4.4.v20110707
jetty-7.5.0.RC0
jetty-7.5.0.RC1
jetty-7.5.0.RC2
jetty-7.5.0.v20110901
jetty-7.5.1.v20110907
jetty-7.5.1.v20110908
jetty-7.5.2.v20111006
jetty-7.5.3.v20111011
jetty-7.5.4.v20111024
jetty-7.6.0.RC0
jetty-7.6.0.RC1
jetty-7.6.0.RC2
jetty-7.6.0.RC3
jetty-7.6.0.RC4
jetty-7.6.0.RC5
jetty-7.6.0.v20120125
jetty-7.6.0.v20120127
jetty-7.6.1.v20120215
jetty-7.6.10.v20130312
jetty-7.6.11.v20130520
jetty-7.6.11.v20130725
jetty-7.6.12.v20130726
jetty-7.6.13.v20130910
jetty-7.6.2.v20120302
jetty-7.6.2.v20120308
jetty-7.6.3.v20120413
jetty-7.6.3.v20120416
jetty-7.6.4.v20120522
jetty-7.6.4.v20120524
jetty-7.6.5.v20120713
jetty-7.6.5.v20120716
jetty-7.6.6.v20120903
jetty-7.6.7.v20120910
jetty-7.6.8.v20121106
jetty-7.6.9.v20130131

jetty-8.*

jetty-8.0.0.RC0
jetty-8.0.0.v20110901
jetty-8.0.1.v20110907
jetty-8.0.1.v20110908
jetty-8.0.2.v20111006
jetty-8.0.3.v20111011
jetty-8.0.4.v20111024
jetty-8.1.0.RC0
jetty-8.1.0.RC1
jetty-8.1.0.RC2
jetty-8.1.0.RC4
jetty-8.1.0.RC5
jetty-8.1.0.v20120125
jetty-8.1.0.v20120127
jetty-8.1.1.v20120215
jetty-8.1.10.v20130312
jetty-8.1.11.v20130520
jetty-8.1.12.v20130725
jetty-8.1.12.v20130726
jetty-8.1.13.v20130910
jetty-8.1.13.v20130916
jetty-8.1.2.v20120302
jetty-8.1.2.v20120308
jetty-8.1.3.v20120413
jetty-8.1.3.v20120416
jetty-8.1.4.v20120522
jetty-8.1.4.v20120524
jetty-8.1.5.v20120713
jetty-8.1.5.v20120716
jetty-8.1.6.v20120903
jetty-8.1.7.v20120910
jetty-8.1.8.v20121106
jetty-8.1.9.v20130131

jetty-9.*

jetty-9.0.0.M0
jetty-9.0.0.M1
jetty-9.0.0.M2
jetty-9.0.0.M3
jetty-9.0.0.M4
jetty-9.0.0.M5
jetty-9.0.0.RC0
jetty-9.0.0.RC1
jetty-9.0.0.RC2
jetty-9.0.0.RC3
jetty-9.0.0.v20130308
jetty-9.0.1.v20130408
jetty-9.0.2.v20130417
jetty-9.0.2.v20140415
jetty-9.0.3.v20130506
jetty-9.0.4.v20130621
jetty-9.0.4.v20130625
jetty-9.0.5.v20130813
jetty-9.0.5.v20130815
jetty-9.0.6.v20130919
jetty-9.0.6.v20130930
jetty-9.0.7.v20131031
jetty-9.0.7.v20131107
jetty-9.0.x
jetty-9.1.0.M0
jetty-9.1.0.RC0
jetty-9.1.0.RC1
jetty-9.1.0.RC2
jetty-9.1.0.v20131115
jetty-9.1.1.v20140108
jetty-9.1.2.v20140210
jetty-9.1.3.v20140225
jetty-9.1.4.v20140401
jetty-9.2.0.M0
jetty-9.2.0.M1
jetty-9.2.0.RC0
jetty-9.2.0.v20140523
jetty-9.2.0.v20140526
jetty-9.2.1.v20140609
jetty-9.2.10.v20150310
jetty-9.2.11.M0
jetty-9.2.11.v20150528
jetty-9.2.11.v20150529
jetty-9.2.12.M0
jetty-9.2.12.v20150709
jetty-9.2.13.v20150730
jetty-9.2.14.v20151106
jetty-9.2.15.v20160210
jetty-9.2.16.v20160414
jetty-9.2.17.v20160517
jetty-9.2.18.v20160721
jetty-9.2.19.v20160908
jetty-9.2.2.v20140723
jetty-9.2.20.v20161216
jetty-9.2.21.v20170120
jetty-9.2.22.v20170606
jetty-9.2.23.v20171218
jetty-9.2.24.v20180105
jetty-9.2.25.v20180606
jetty-9.2.26.v20180806
jetty-9.2.27.v20190403
jetty-9.2.28.v20190418
jetty-9.2.29.v20191105
jetty-9.2.3.v20140905
jetty-9.2.4.v20141103
jetty-9.2.5.v20141112
jetty-9.2.6.v20141203
jetty-9.2.6.v20141205
jetty-9.2.7.v20150116
jetty-9.2.8.v20150217
jetty-9.2.9.v20150224
jetty-9.3.0.M0
jetty-9.3.0.v20150612
jetty-9.3.1.v20150714
jetty-9.3.10.M0
jetty-9.3.10.v20160621
jetty-9.3.11.M0
jetty-9.3.11.v20160721
jetty-9.3.12.v20160915
jetty-9.3.13.M0
jetty-9.3.13.v20161014
jetty-9.3.14.v20161028
jetty-9.3.15.v20161220
jetty-9.3.16.v20170120
jetty-9.3.17.v20170317
jetty-9.3.18.v20170406
jetty-9.3.19.v20170502
jetty-9.3.20.v20170531
jetty-9.3.21.M0
jetty-9.3.21.v20170918
jetty-9.3.22.v20171030
jetty-9.3.23.v20180228
jetty-9.3.24.v20180605
jetty-9.3.25.v20180904
jetty-9.3.26.v20190403
jetty-9.3.27.v20190418
jetty-9.3.28.v20191105
jetty-9.3.3.v20150825
jetty-9.3.3.v20150827
jetty-9.3.4.v20151007
jetty-9.3.5.v20151012
jetty-9.3.6.v20151106
jetty-9.3.7.RC0
jetty-9.3.7.RC1
jetty-9.3.7.v20160115
jetty-9.3.8.RC0
jetty-9.3.8.v20160314
jetty-9.3.9.M1
jetty-9.3.9.v20160517
jetty-9.4.0.M1
jetty-9.4.0.RC0
jetty-9.4.0.RC1
jetty-9.4.0.RC2
jetty-9.4.0.RC3
jetty-9.4.0.v20161207
jetty-9.4.0.v20161208
jetty-9.4.1.v20170120
jetty-9.4.10.v20180503
jetty-9.4.11.v20180605
jetty-9.4.12.v20180830
jetty-9.4.13.v20181111
jetty-9.4.14.v20181114
jetty-9.4.15.v20190215
jetty-9.4.16.v20190411
jetty-9.4.17.v20190418
jetty-9.4.18.v20190429
jetty-9.4.19.v20190610
jetty-9.4.2.v20170220
jetty-9.4.20.v20190813
jetty-9.4.21.v20190926
jetty-9.4.22.v20191022
jetty-9.4.23.v20191118
jetty-9.4.24.v20191120
jetty-9.4.25.v20191220
jetty-9.4.26.v20200117
jetty-9.4.27.v20200227
jetty-9.4.28.v20200408
jetty-9.4.29.v20200521
jetty-9.4.3.v20170317
jetty-9.4.30.v20200611
jetty-9.4.31.v20200723
jetty-9.4.32.v20200930
jetty-9.4.33.v20201020
jetty-9.4.34.v20201102
jetty-9.4.35.v20201120
jetty-9.4.36.v20210114
jetty-9.4.4.v20170414
jetty-9.4.5.v20170502
jetty-9.4.6.v20170531
jetty-9.4.7.v20170914
jetty-9.4.8.v20171121
jetty-9.4.9.v20180320

npn-api-1.*

npn-api-1.0.0.v20120402
npn-api-1.1.0.v20120525

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java",
                "function": "parsedValue"
            },
            "id": "CVE-2020-27223-45b13268",
            "digest": {
                "function_hash": "184400421406254729142860305963963940971",
                "length": 94.0
            }
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131",
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java"
            },
            "id": "CVE-2020-27223-4d564dc7",
            "digest": {
                "line_hashes": [
                    "179452784334769158403100940236434908695",
                    "310443886562692546600354564003727575888",
                    "259758318498458371890959123113478973433",
                    "167588035352153053957833495056253406257",
                    "11729859842063230267379929745191480475",
                    "151313808747148448724823804536116530978",
                    "267099099637193108807665146464241172960",
                    "277772536204803768681178227960021075796",
                    "254636362071963156041171937937726444966",
                    "74703349147924814445478036843535794761",
                    "78197092271670423108770875798756211088",
                    "46175104968392148730137969371446902998",
                    "130304822988992453712841094523765272441",
                    "222425692163294885629131110470143061318",
                    "241873839846214164744735092681360699304",
                    "67394938416954511311564384517046886093",
                    "121877217330029534788794820229142277812",
                    "309656193589048441117397509240928770707",
                    "15326949281581316734249748482126462628",
                    "58596820990402153241834855336196588683",
                    "24859305933685585014542947444527480041",
                    "298461787823733139041012657737430547189",
                    "181876196218142640670098796099112581576",
                    "273506084014286732710665848513266360589",
                    "61605516012152643455861940920279450251",
                    "298695343177705421066215146711083942819",
                    "59049236603406802463753448178612417228",
                    "184733323385787113527276764692166247835",
                    "19384791602369525422378303335231689573",
                    "87870071933459223269954315260175043731",
                    "252869537727253322130835741857391429018",
                    "225410538706628869019481803153957917413",
                    "172250737658928436120187380388861715785",
                    "85891844406859578118394634551645997248",
                    "34723935739774248465041692618570062268",
                    "28085686537498847627534065810124866356",
                    "245587174947801259791143250145267603595",
                    "281092268295390455017567431752537429857",
                    "194902004498424570222832225018999246206",
                    "330987813146013006183166589719262266092",
                    "240365680333400415281480177292886532106",
                    "338781243300349238898033631994657005624",
                    "40673121706323402635651278800007290998",
                    "89977793703567518013606880243232474081",
                    "115066544159129317124921824881557766864",
                    "63477383271830600744077320933437945348",
                    "170104649092280989819767338544374292200",
                    "207789913324137174103619104080987699099",
                    "134844006432878171332747389790618579734",
                    "119095969198206089809092896809558681679",
                    "159649732023743584263572751751416931895",
                    "93727250804255053067965740909206683093",
                    "295319882671585040700258227269499019617",
                    "230635094577414615062632698961610778470",
                    "270739774479412693691068982521873522257",
                    "30294011653153988449403414044361357691",
                    "301898738845381677394046433251864613648",
                    "141901544582011180710382814649163345518",
                    "330156883865383726124199796974233960790",
                    "210488045500915085489429744270068203388",
                    "104780329508468820447503702884358200986",
                    "105776599714034846449009014071049088749",
                    "91713052865866203287919674562354587500",
                    "311469060184620201922449061360819813318",
                    "261727696924826329706455160086427564764",
                    "29644198073670928873178804104557865764",
                    "124872315640180458536801381911685313981",
                    "296138444704097752526319831045565885465",
                    "38601468519811532903974214382359709107",
                    "173084971804331460630051338744539530783",
                    "92030473942336281800455547971085774171",
                    "38973028764776317055822252692731803257",
                    "99932116521598025928363516326640477639"
                ],
                "threshold": 0.9
            }
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java",
                "function": "QuotedQualityCSV"
            },
            "id": "CVE-2020-27223-57339a36",
            "digest": {
                "function_hash": "88006686507020079735535315236248256351",
                "length": 249.0
            }
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java",
                "function": "parsedParam"
            },
            "id": "CVE-2020-27223-beef10ab",
            "digest": {
                "function_hash": "309805179836461238316607034527752687358",
                "length": 799.0
            }
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131",
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java",
                "function": "sort"
            },
            "id": "CVE-2020-27223-c7409176",
            "digest": {
                "function_hash": "237623596255308684413963623535570052580",
                "length": 857.0
            }
        }
    ]
}