CVE-2023-41900

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-41900
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41900.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-41900
Aliases
Related
Published
2023-09-15T21:15:11Z
Modified
2024-10-12T11:06:28.680546Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the LoginService. This impacts usages of the jetty-openid which have configured a nested LoginService and where that LoginService will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

References

Affected packages

Debian:11 / jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.39-3+deb11u2

Affected versions

9.*

9.4.39-3
9.4.39-3+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.50-4+deb12u1

Affected versions

9.*

9.4.50-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.52-1

Affected versions

9.*

9.4.50-4
9.4.51-1
9.4.51-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/eclipse/jetty.project

Affected ranges

Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Type
GIT
Repo
https://github.com/jetty/jetty.project
Events

Affected versions

jetty-10.*

jetty-10.0.0
jetty-10.0.1
jetty-10.0.13
jetty-10.0.15
jetty-10.0.2
jetty-10.0.4
jetty-10.0.5
jetty-10.0.6
jetty-10.0.7
jetty-10.0.8

jetty-9.*

jetty-9.2.29.v20191105
jetty-9.3.28.v20191105
jetty-9.4.21.v20190926
jetty-9.4.22.v20191022
jetty-9.4.23.v20191118
jetty-9.4.24.v20191120
jetty-9.4.25.v20191220
jetty-9.4.26.v20200117
jetty-9.4.27.v20200227
jetty-9.4.28.v20200408
jetty-9.4.29.v20200521
jetty-9.4.30.v20200611
jetty-9.4.31.v20200723
jetty-9.4.32.v20200930
jetty-9.4.33.v20201020
jetty-9.4.34.v20201102
jetty-9.4.35.v20201120
jetty-9.4.36.v20210114
jetty-9.4.37.v20210219
jetty-9.4.38.v20210224
jetty-9.4.39.v20210325
jetty-9.4.40.v20210413
jetty-9.4.42.v20210604
jetty-9.4.43.v20210629
jetty-9.4.44.v20210927
jetty-9.4.45.v20220203
jetty-9.4.50.v20221201