OESA-2024-2297

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2297

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2024-2297.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2024-2297

Upstream

CVE-2023-26048

CVE-2023-36479

CVE-2023-40167

Published

2024-10-25T11:09:27Z

Modified

2025-08-12T05:38:35.008518Z

Summary

jetty security update

Details

%global desc \ Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\ do not need to configure and run a separate web server (like Apache) in order\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\ featured web server for static and dynamic content. Unlike separate\ server/container solutions, this means that your web server and web\ application run in the same process, without interconnection overheads\ and complications. Furthermore, as a pure java component, Jetty can be simply\ included in your application for demonstration, distribution or deployment.\ Jetty is available on all Java supported platforms. \ %global extdesc \ \ This package contains

Security Fix(es):

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).(CVE-2023-26048)

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2. (CVE-2023-36479)

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.(CVE-2023-40167)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:22.03-LTS-SP1 / jetty

Package

Name: jetty
Purl: pkg:rpm/openEuler/jetty&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.16-7.oe2203sp1

Ecosystem specific

{
    "src": [
        "jetty-9.4.16-7.oe2203sp1.src.rpm"
    ],
    "noarch": [
        "jetty-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-alpn-client-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-alpn-server-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-annotations-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-ant-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-cdi-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-client-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-continuation-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-deploy-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-fcgi-client-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-fcgi-server-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-http-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-http-spi-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-http2-client-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-http2-common-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-http2-hpack-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-http2-http-client-transport-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-http2-server-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-httpservice-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-infinispan-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-io-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-jaas-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-jaspi-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-javadoc-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-javax-websocket-client-impl-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-javax-websocket-server-impl-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-jmx-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-jndi-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-jsp-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-jspc-maven-plugin-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-jstl-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-maven-plugin-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-nosql-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-osgi-alpn-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-osgi-boot-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-osgi-boot-jsp-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-osgi-boot-warurl-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-plus-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-project-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-proxy-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-quickstart-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-rewrite-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-security-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-server-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-servlet-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-servlets-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-spring-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-start-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-unixsocket-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-util-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-util-ajax-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-webapp-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-websocket-api-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-websocket-client-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-websocket-common-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-websocket-server-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-websocket-servlet-9.4.16-7.oe2203sp1.noarch.rpm",
        "jetty-xml-9.4.16-7.oe2203sp1.noarch.rpm"
    ]
}