VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-9xw3-4a4u-hbbb

Essentials
Severities (38)
References (27)
Severity details (26)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-9xw3-4a4u-hbbb
Aliases	CVE-2023-26049 GHSA-p26g-97m4-6q7c
Summary	Exposure of Sensitive Information to an Unauthorized Actor Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
Status	Published
Exploitability	0.5
Weighted Severity	4.8
Risk	2.4
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1286	Improper Validation of Syntactic Correctness of Input

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json
epss	0.00335	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00335	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00335	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00335	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss	0.00346	https://api.first.org/data/v1/epss?cve=CVE-2023-26049
cvssv3.1	3.7	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-p26g-97m4-6q7c
cvssv3.1	2.4	https://github.com/eclipse/jetty.project
generic_textual	LOW	https://github.com/eclipse/jetty.project
cvssv3.1	2.4	https://github.com/eclipse/jetty.project/pull/9339
generic_textual	LOW	https://github.com/eclipse/jetty.project/pull/9339
cvssv3.1	2.4	https://github.com/eclipse/jetty.project/pull/9352
generic_textual	LOW	https://github.com/eclipse/jetty.project/pull/9352
cvssv3.1	2.4	https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
generic_textual	LOW	https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
cvssv3.1	2.4	https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
cvssv3.1_qr	LOW	https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
generic_textual	LOW	https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
cvssv3.1	2.4	https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
generic_textual	LOW	https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
cvssv3.1	2.4	https://nvd.nist.gov/vuln/detail/CVE-2023-26049
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2023-26049
cvssv3.1	2.4	https://security.netapp.com/advisory/ntap-20230526-0001
generic_textual	LOW	https://security.netapp.com/advisory/ntap-20230526-0001
cvssv3.1	2.4	https://www.debian.org/security/2023/dsa-5507
generic_textual	LOW	https://www.debian.org/security/2023/dsa-5507
cvssv3.1	2.4	https://www.rfc-editor.org/rfc/rfc2965
generic_textual	LOW	https://www.rfc-editor.org/rfc/rfc2965
cvssv3.1	2.4	https://www.rfc-editor.org/rfc/rfc6265
generic_textual	LOW	https://www.rfc-editor.org/rfc/rfc6265

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-26049
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/eclipse/jetty.project
		https://github.com/eclipse/jetty.project/pull/9339
		https://github.com/eclipse/jetty.project/pull/9352
		https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
		https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
		https://security.netapp.com/advisory/ntap-20230526-0001
		https://security.netapp.com/advisory/ntap-20230526-0001/
		https://www.debian.org/security/2023/dsa-5507
		https://www.rfc-editor.org/rfc/rfc2965
		https://www.rfc-editor.org/rfc/rfc6265
2236341		https://bugzilla.redhat.com/show_bug.cgi?id=2236341
CVE-2023-26049		https://nvd.nist.gov/vuln/detail/CVE-2023-26049
GHSA-p26g-97m4-6q7c		https://github.com/advisories/GHSA-p26g-97m4-6q7c
GHSA-p26g-97m4-6q7c		https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
RHSA-2023:5165		https://access.redhat.com/errata/RHSA-2023:5165
RHSA-2023:5441		https://access.redhat.com/errata/RHSA-2023:5441
RHSA-2024:0778		https://access.redhat.com/errata/RHSA-2024:0778
RHSA-2024:0797		https://access.redhat.com/errata/RHSA-2024:0797
RHSA-2024:3385		https://access.redhat.com/errata/RHSA-2024:3385

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/pull/9339

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/pull/9352

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-26049

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20230526-0001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://www.debian.org/security/2023/dsa-5507

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://www.rfc-editor.org/rfc/rfc2965

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://www.rfc-editor.org/rfc/rfc6265

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.56353
EPSS Score	0.00335
Published At	April 21, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:51:09.977305+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-server/CVE-2023-26049.yml	38.0.0