Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-w2z8-sxzw-rugp

Summary

Jetty vulnerable to errant command quoting in CGI Servlet
If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.

```java
if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" "))
execCmd = "\"" + execCmd + "\"";
```

Aliases

alias	CVE-2023-36479

alias	GHSA-3gh6-v5v9-6v9j

Fixed_packages

url	pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823
purl	pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823

url	pkg:maven/org.eclipse.jetty/jetty-server@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-server@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-server@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-server@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@11.0.16

url	pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
purl	pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.1

url	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16

url	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52
purl	pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52

url	pkg:maven/org.eclipse.jetty/jetty-util@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-util@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-util@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-util@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@11.0.16

url	pkg:maven/org.eclipse.jetty/jetty-util@12.0.1
purl	pkg:maven/org.eclipse.jetty/jetty-util@12.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@12.0.1

url	pkg:maven/org.eclipse.jetty/jetty-util@9.4.52.v20230823
purl	pkg:maven/org.eclipse.jetty/jetty-util@9.4.52.v20230823
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@9.4.52.v20230823

url	pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.52.v20230823
purl	pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.52.v20230823
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.52.v20230823

url	pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.16

url	pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-servlets@12.0.0-beta2
purl	pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-servlets@12.0.0-beta2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-servlets@12.0.0-beta2

url	pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-servlets@12.0.0-beta2
purl	pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-servlets@12.0.0-beta2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-servlets@12.0.0-beta2

url	pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-servlets@12.0.0-beta2
purl	pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-servlets@12.0.0-beta2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-servlets@12.0.0-beta2

Affected_packages

url pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.0

purl pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-njhm-y8we-sycj

vulnerability	VCID-w2z8-sxzw-rugp

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.0

url pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.0

purl pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-njhm-y8we-sycj

vulnerability	VCID-w2z8-sxzw-rugp

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.0

url pkg:maven/org.eclipse.jetty/jetty-servlets@9.0.0

purl pkg:maven/org.eclipse.jetty/jetty-servlets@9.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-w2z8-sxzw-rugp

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@9.0.0

url pkg:maven/org.eclipse.jetty/jetty-webapp@9.0.0

purl pkg:maven/org.eclipse.jetty/jetty-webapp@9.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-w2z8-sxzw-rugp

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@9.0.0

url pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.0

purl pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-njhm-y8we-sycj

vulnerability	VCID-w2z8-sxzw-rugp

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.0

url pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.0

purl pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-njhm-y8we-sycj

vulnerability	VCID-w2z8-sxzw-rugp

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.0

url pkg:maven/org.eclipse.jetty/jetty-webapp@12.0.0

purl pkg:maven/org.eclipse.jetty/jetty-webapp@12.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-w2z8-sxzw-rugp

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@12.0.0

References

reference_url	https://github.com/eclipse/jetty.project
reference_id
reference_type
scores
url	https://github.com/eclipse/jetty.project

reference_url	https://github.com/eclipse/jetty.project/pull/9516
reference_id
reference_type
scores
url	https://github.com/eclipse/jetty.project/pull/9516

reference_url	https://github.com/eclipse/jetty.project/pull/9888
reference_id
reference_type
scores
url	https://github.com/eclipse/jetty.project/pull/9888

reference_url	https://github.com/eclipse/jetty.project/pull/9889
reference_id
reference_type
scores
url	https://github.com/eclipse/jetty.project/pull/9889

reference_url	https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

reference_url	https://www.debian.org/security/2023/dsa-5507
reference_id
reference_type
scores
url	https://www.debian.org/security/2023/dsa-5507

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-36479
reference_id	CVE-2023-36479
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-36479

reference_url	https://github.com/advisories/GHSA-3gh6-v5v9-6v9j
reference_id	GHSA-3gh6-v5v9-6v9j
reference_type
scores
url	https://github.com/advisories/GHSA-3gh6-v5v9-6v9j

reference_url	https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
reference_id	GHSA-3gh6-v5v9-6v9j
reference_type
scores
url	https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j

Weaknesses

cwe_id	149
name	Improper Neutralization of Quoting Syntax
description	Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w2z8-sxzw-rugp

Vulnerability Instance