Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16

Type maven

Namespace org.eclipse.jetty

Name jetty-servlets

Version 10.0.16

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 10.0.18

Latest_non_vulnerable_version 12.0.4

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-3vps-uq7s-nfb7

vulnerability_id VCID-3vps-uq7s-nfb7

summary

Improper Handling of Length Parameter Inconsistency
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40167.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40167.json

reference_url

https://github.com/eclipse/jetty.project

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project

reference_url

https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

reference_url

https://www.debian.org/security/2023/dsa-5507

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5507

reference_url

https://www.rfc-editor.org/rfc/rfc9110#section-8.6

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.rfc-editor.org/rfc/rfc9110#section-8.6

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2239634
reference_id	2239634
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2239634

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-40167

reference_id

CVE-2023-40167

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-40167

reference_url	https://github.com/advisories/GHSA-hmr7-m48g-48f6
reference_id	GHSA-hmr7-m48g-48f6
reference_type
scores
url	https://github.com/advisories/GHSA-hmr7-m48g-48f6

reference_url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6

reference_id

GHSA-hmr7-m48g-48f6

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6

reference_url	https://access.redhat.com/errata/RHSA-2023:5441
reference_id	RHSA-2023:5441
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5441

reference_url	https://access.redhat.com/errata/RHSA-2023:5780
reference_id	RHSA-2023:5780
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5780

reference_url	https://access.redhat.com/errata/RHSA-2023:5946
reference_id	RHSA-2023:5946
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5946

reference_url	https://access.redhat.com/errata/RHSA-2023:7247
reference_id	RHSA-2023:7247
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7247

reference_url	https://access.redhat.com/errata/RHSA-2023:7678
reference_id	RHSA-2023:7678
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7678

reference_url	https://access.redhat.com/errata/RHSA-2023:7697
reference_id	RHSA-2023:7697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7697

reference_url	https://access.redhat.com/errata/RHSA-2024:0778
reference_id	RHSA-2024:0778
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0778

reference_url	https://access.redhat.com/errata/RHSA-2024:0797
reference_id	RHSA-2024:0797
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0797

fixed_packages

url	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823

url	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16

aliases CVE-2023-40167, GHSA-hmr7-m48g-48f6

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3vps-uq7s-nfb7

url VCID-njhm-y8we-sycj

vulnerability_id VCID-njhm-y8we-sycj

summary

Jetty's OpenId Revoked authentication allows one request
If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated.

So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-41900.json

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-41900.json

reference_url

https://github.com/eclipse/jetty.project

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project

reference_url

https://github.com/eclipse/jetty.project/pull/9528

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/pull/9528

reference_url

https://github.com/eclipse/jetty.project/pull/9660

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/pull/9660

reference_url

https://security.netapp.com/advisory/ntap-20231110-0004

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231110-0004

reference_url

https://www.debian.org/security/2023/dsa-5507

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5507

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2247052
reference_id	2247052
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2247052

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-41900

reference_id

CVE-2023-41900

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-41900

reference_url	https://github.com/advisories/GHSA-pwh8-58vv-vw48
reference_id	GHSA-pwh8-58vv-vw48
reference_type
scores
url	https://github.com/advisories/GHSA-pwh8-58vv-vw48

reference_url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48

reference_id

GHSA-pwh8-58vv-vw48

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48

reference_url	https://access.redhat.com/errata/RHSA-2023:7247
reference_id	RHSA-2023:7247
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7247

fixed_packages

url	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823

url	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16

aliases CVE-2023-41900, GHSA-pwh8-58vv-vw48

risk_score 1.6

exploitability 0.5

weighted_severity 3.1

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-njhm-y8we-sycj

url VCID-w2z8-sxzw-rugp

vulnerability_id VCID-w2z8-sxzw-rugp

summary

Jetty vulnerable to errant command quoting in CGI Servlet
If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.

```java
if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" "))
execCmd = "\"" + execCmd + "\"";
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36479.json

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36479.json

reference_url

https://github.com/eclipse/jetty.project

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project

reference_url

https://github.com/eclipse/jetty.project/pull/9516

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/pull/9516

reference_url

https://github.com/eclipse/jetty.project/pull/9888

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/pull/9888

reference_url

https://github.com/eclipse/jetty.project/pull/9889

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/pull/9889

reference_url

https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

reference_url

https://www.debian.org/security/2023/dsa-5507

reference_id

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2023/dsa-5507

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2239630
reference_id	2239630
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2239630

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-36479

reference_id

CVE-2023-36479

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-36479

reference_url	https://github.com/advisories/GHSA-3gh6-v5v9-6v9j
reference_id	GHSA-3gh6-v5v9-6v9j
reference_type
scores
url	https://github.com/advisories/GHSA-3gh6-v5v9-6v9j

reference_url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j

reference_id

GHSA-3gh6-v5v9-6v9j

reference_type

scores

value	3.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j

reference_url	https://access.redhat.com/errata/RHSA-2023:7247
reference_id	RHSA-2023:7247
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7247

reference_url	https://access.redhat.com/errata/RHSA-2024:0797
reference_id	RHSA-2024:0797
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0797

fixed_packages

url	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52

url	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16

aliases CVE-2023-36479, GHSA-3gh6-v5v9-6v9j

risk_score 1.6

exploitability 0.5

weighted_severity 3.1

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w2z8-sxzw-rugp

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16

Package Instance