CVE-2023-26048

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26048

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-26048.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26048

Aliases

GHSA-qw69-rqj8-6qw8

Related

Published

2023-04-18T21:15:08Z

Modified

2024-09-11T06:12:26.629830Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

[none]

Details

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

References

Affected packages

Debian:11 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.39-3+deb11u2

Affected versions

9.*

9.4.39-3

9.4.39-3+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.50-4+deb12u1

Affected versions

9.*

9.4.50-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.52-1

Affected versions

9.*

9.4.50-4

9.4.51-1

9.4.51-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/eclipse/jetty.project

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/jetty.project
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b45c405e4544384de066f814ed42ae3dceacdd49

Type: GIT
Repo: https://github.com/jetty/jetty.project
Events: Introduced

b9645a17373e4e9b7f30b6c0a07defcea2cb660b

Fixed

976721d0f3e903a243584d47870ad2f2c1bf9e55