CVE-2023-41900

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41900

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41900.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41900

Aliases

GHSA-pwh8-58vv-vw48

Related

Published

2023-09-15T21:15:11Z

Modified

2024-09-11T06:13:32.343076Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the LoginService. This impacts usages of the jetty-openid which have configured a nested LoginService and where that LoginService will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

References

Affected packages

Debian:11 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.39-3+deb11u2

Affected versions

9.*

9.4.39-3

9.4.39-3+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.50-4+deb12u1

Affected versions

9.*

9.4.50-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.52-1

Affected versions

9.*

9.4.50-4

9.4.51-1

9.4.51-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/eclipse/jetty.project

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/jetty.project
Events: Introduced

72970db61a2904371e1218a95a3bef5d79788c33

Fixed

abdcda73818a1a2c705da276edb0bf6581e7997e

Type: GIT
Repo: https://github.com/jetty/jetty.project
Events: Introduced

b9645a17373e4e9b7f30b6c0a07defcea2cb660b

Fixed

a2735a9ae9d1afc124974253f1e223e5678be1f4

Affected versions

jetty-10.*

jetty-10.0.0

jetty-10.0.1

jetty-10.0.13

jetty-10.0.15

jetty-10.0.2

jetty-10.0.4

jetty-10.0.5

jetty-10.0.6

jetty-10.0.7

jetty-10.0.8

jetty-9.*

jetty-9.2.29.v20191105

jetty-9.3.28.v20191105

jetty-9.4.21.v20190926

jetty-9.4.22.v20191022

jetty-9.4.23.v20191118

jetty-9.4.24.v20191120

jetty-9.4.25.v20191220

jetty-9.4.26.v20200117

jetty-9.4.27.v20200227

jetty-9.4.28.v20200408

jetty-9.4.29.v20200521

jetty-9.4.30.v20200611

jetty-9.4.31.v20200723

jetty-9.4.32.v20200930

jetty-9.4.33.v20201020

jetty-9.4.34.v20201102

jetty-9.4.35.v20201120

jetty-9.4.36.v20210114

jetty-9.4.37.v20210219

jetty-9.4.38.v20210224

jetty-9.4.39.v20210325

jetty-9.4.40.v20210413

jetty-9.4.42.v20210604

jetty-9.4.43.v20210629

jetty-9.4.44.v20210927

jetty-9.4.45.v20220203

jetty-9.4.50.v20221201