In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
{ "vanir_signatures": [ { "signature_version": "v1", "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131", "deprecated": false, "signature_type": "Function", "target": { "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java", "function": "parsedValue" }, "id": "CVE-2020-27223-45b13268", "digest": { "function_hash": "184400421406254729142860305963963940971", "length": 94.0 } }, { "signature_version": "v1", "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131", "deprecated": false, "signature_type": "Line", "target": { "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java" }, "id": "CVE-2020-27223-4d564dc7", "digest": { "line_hashes": [ "179452784334769158403100940236434908695", "310443886562692546600354564003727575888", "259758318498458371890959123113478973433", "167588035352153053957833495056253406257", "11729859842063230267379929745191480475", "151313808747148448724823804536116530978", "267099099637193108807665146464241172960", "277772536204803768681178227960021075796", "254636362071963156041171937937726444966", "74703349147924814445478036843535794761", "78197092271670423108770875798756211088", "46175104968392148730137969371446902998", "130304822988992453712841094523765272441", "222425692163294885629131110470143061318", "241873839846214164744735092681360699304", "67394938416954511311564384517046886093", "121877217330029534788794820229142277812", "309656193589048441117397509240928770707", "15326949281581316734249748482126462628", "58596820990402153241834855336196588683", "24859305933685585014542947444527480041", "298461787823733139041012657737430547189", "181876196218142640670098796099112581576", "273506084014286732710665848513266360589", "61605516012152643455861940920279450251", "298695343177705421066215146711083942819", "59049236603406802463753448178612417228", "184733323385787113527276764692166247835", "19384791602369525422378303335231689573", "87870071933459223269954315260175043731", "252869537727253322130835741857391429018", "225410538706628869019481803153957917413", "172250737658928436120187380388861715785", "85891844406859578118394634551645997248", "34723935739774248465041692618570062268", "28085686537498847627534065810124866356", "245587174947801259791143250145267603595", "281092268295390455017567431752537429857", "194902004498424570222832225018999246206", "330987813146013006183166589719262266092", "240365680333400415281480177292886532106", "338781243300349238898033631994657005624", "40673121706323402635651278800007290998", "89977793703567518013606880243232474081", "115066544159129317124921824881557766864", "63477383271830600744077320933437945348", "170104649092280989819767338544374292200", "207789913324137174103619104080987699099", "134844006432878171332747389790618579734", "119095969198206089809092896809558681679", "159649732023743584263572751751416931895", "93727250804255053067965740909206683093", "295319882671585040700258227269499019617", "230635094577414615062632698961610778470", "270739774479412693691068982521873522257", "30294011653153988449403414044361357691", "301898738845381677394046433251864613648", "141901544582011180710382814649163345518", "330156883865383726124199796974233960790", "210488045500915085489429744270068203388", "104780329508468820447503702884358200986", "105776599714034846449009014071049088749", "91713052865866203287919674562354587500", "311469060184620201922449061360819813318", "261727696924826329706455160086427564764", "29644198073670928873178804104557865764", "124872315640180458536801381911685313981", "296138444704097752526319831045565885465", "38601468519811532903974214382359709107", "173084971804331460630051338744539530783", "92030473942336281800455547971085774171", "38973028764776317055822252692731803257", "99932116521598025928363516326640477639" ], "threshold": 0.9 } }, { "signature_version": "v1", "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131", "deprecated": false, "signature_type": "Function", "target": { "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java", "function": "QuotedQualityCSV" }, "id": "CVE-2020-27223-57339a36", "digest": { "function_hash": "88006686507020079735535315236248256351", "length": 249.0 } }, { "signature_version": "v1", "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131", "deprecated": false, "signature_type": "Function", "target": { "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java", "function": "parsedParam" }, "id": "CVE-2020-27223-beef10ab", "digest": { "function_hash": "309805179836461238316607034527752687358", "length": 799.0 } }, { "signature_version": "v1", "source": "https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131", "deprecated": false, "signature_type": "Function", "target": { "file": "jetty-http/src/main/java/org/eclipse/jetty/http/QuotedQualityCSV.java", "function": "sort" }, "id": "CVE-2020-27223-c7409176", "digest": { "function_hash": "237623596255308684413963623535570052580", "length": 857.0 } } ] }