Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/46014?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46014?format=api", "vulnerability_id": "VCID-w2z8-sxzw-rugp", "summary": "Jetty vulnerable to errant command quoting in CGI Servlet\nIf a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.\n\n```java\nif (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \"))\nexecCmd = \"\\\"\" + execCmd + \"\\\"\";\n```", "aliases": [ { "alias": "CVE-2023-36479" }, { "alias": "GHSA-3gh6-v5v9-6v9j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66965?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823" }, { "url": "http://public2.vulnerablecode.io/api/packages/66966?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-server@10.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@10.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/66967?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-server@11.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@11.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/64768?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-server@12.0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66938?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52" }, { "url": "http://public2.vulnerablecode.io/api/packages/66939?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/66940?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/66976?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-util@9.4.52.v20230823", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@9.4.52.v20230823" }, { "url": "http://public2.vulnerablecode.io/api/packages/66977?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-util@10.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@10.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/66978?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-util@11.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@11.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/66979?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-util@12.0.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-util@12.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66969?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.52.v20230823", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.52.v20230823" }, { "url": "http://public2.vulnerablecode.io/api/packages/66970?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/66971?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/66941?format=api", "purl": "pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-servlets@12.0.0-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-servlets@12.0.0-beta2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66943?format=api", "purl": "pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-servlets@12.0.0-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-servlets@12.0.0-beta2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66925?format=api", "purl": "pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-servlets@12.0.0-beta2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-servlets@12.0.0-beta2" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66937?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-servlets@9.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vps-uq7s-nfb7" }, { "vulnerability": "VCID-w2z8-sxzw-rugp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@9.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/64790?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vps-uq7s-nfb7" }, { "vulnerability": "VCID-gua7-n9ne-t3hk" }, { "vulnerability": "VCID-njhm-y8we-sycj" }, { "vulnerability": "VCID-w2z8-sxzw-rugp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@10.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/64791?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vps-uq7s-nfb7" }, { "vulnerability": "VCID-gua7-n9ne-t3hk" }, { "vulnerability": "VCID-njhm-y8we-sycj" }, { "vulnerability": "VCID-w2z8-sxzw-rugp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/66968?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp@9.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vps-uq7s-nfb7" }, { "vulnerability": "VCID-w2z8-sxzw-rugp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@9.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/64769?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vps-uq7s-nfb7" }, { "vulnerability": "VCID-gua7-n9ne-t3hk" }, { "vulnerability": "VCID-njhm-y8we-sycj" }, { "vulnerability": "VCID-w2z8-sxzw-rugp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@10.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/64770?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vps-uq7s-nfb7" }, { "vulnerability": "VCID-gua7-n9ne-t3hk" }, { "vulnerability": "VCID-njhm-y8we-sycj" }, { "vulnerability": "VCID-w2z8-sxzw-rugp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@11.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/64771?format=api", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp@12.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3vps-uq7s-nfb7" }, { "vulnerability": "VCID-gua7-n9ne-t3hk" }, { "vulnerability": "VCID-w2z8-sxzw-rugp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-webapp@12.0.0" } ], "references": [ { "reference_url": "https://github.com/eclipse/jetty.project", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/eclipse/jetty.project" }, { "reference_url": "https://github.com/eclipse/jetty.project/pull/9516", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/eclipse/jetty.project/pull/9516" }, { "reference_url": "https://github.com/eclipse/jetty.project/pull/9888", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/eclipse/jetty.project/pull/9888" }, { "reference_url": "https://github.com/eclipse/jetty.project/pull/9889", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/eclipse/jetty.project/pull/9889" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5507", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2023/dsa-5507" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36479", "reference_id": "CVE-2023-36479", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36479" }, { "reference_url": "https://github.com/advisories/GHSA-3gh6-v5v9-6v9j", "reference_id": "GHSA-3gh6-v5v9-6v9j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3gh6-v5v9-6v9j" }, { "reference_url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j", "reference_id": "GHSA-3gh6-v5v9-6v9j", "reference_type": "", "scores": [], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j" } ], "weaknesses": [ { "cwe_id": 149, "name": "Improper Neutralization of Quoting Syntax", "description": "Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w2z8-sxzw-rugp" }