VulnerableCode Package Details - pkg:rpm/redhat/eap7-yasson@1.0.11-4.redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-dtzg-44zp-cqds Aliases: CVE-2023-26048 GHSA-qw69-rqj8-6qw8	OutOfMemoryError for large multipart without filename in Eclipse Jetty ### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-dtzg-44zp-cqds
Aliases:
CVE-2023-26048
GHSA-qw69-rqj8-6qw8

OutOfMemoryError for large multipart without filename in Eclipse Jetty ### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-29T09:08:42.207031+00:00	RedHat Importer	Affected by	VCID-dtzg-44zp-cqds	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json	38.6.0

2026-05-29T09:08:42.207031+00:00

RedHat Importer

Affected by

VCID-dtzg-44zp-cqds

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk