Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.eclipse.jetty/jetty-servlets@11.0.4
Typemaven
Namespaceorg.eclipse.jetty
Namejetty-servlets
Version11.0.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version11.0.18
Latest_non_vulnerable_version11.0.18
Affected_by_vulnerabilities
0
url VCID-1ejr-3tea-kydr
vulnerability_id VCID-1ejr-3tea-kydr
summary 
Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks
### Impact
 Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

### Patches
* https://github.com/jetty/jetty.project/pull/9715
* https://github.com/jetty/jetty.project/pull/9716

### Workarounds
The session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:
 + not using the PushCacheFilter.  Push has been deprecated by the various IETF specs and early hints responses should be used instead.
 + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
 + configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

### References
* https://github.com/jetty/jetty.project/pull/10756
* https://github.com/jetty/jetty.project/pull/10755
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6762.json
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6762.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-6762
reference_id
reference_type
scores
0
value 0.00563
scoring_system epss
scoring_elements 0.68458
published_at 2026-04-29T12:55:00Z
1
value 0.00563
scoring_system epss
scoring_elements 0.68453
published_at 2026-04-26T12:55:00Z
2
value 0.00563
scoring_system epss
scoring_elements 0.68448
published_at 2026-04-24T12:55:00Z
3
value 0.00563
scoring_system epss
scoring_elements 0.684
published_at 2026-04-21T12:55:00Z
4
value 0.00563
scoring_system epss
scoring_elements 0.68423
published_at 2026-04-18T12:55:00Z
5
value 0.00563
scoring_system epss
scoring_elements 0.68404
published_at 2026-04-12T12:55:00Z
6
value 0.00563
scoring_system epss
scoring_elements 0.68409
published_at 2026-04-16T12:55:00Z
7
value 0.00563
scoring_system epss
scoring_elements 0.68371
published_at 2026-04-13T12:55:00Z
8
value 0.00563
scoring_system epss
scoring_elements 0.68416
published_at 2026-04-11T12:55:00Z
9
value 0.00563
scoring_system epss
scoring_elements 0.68389
published_at 2026-04-09T12:55:00Z
10
value 0.00563
scoring_system epss
scoring_elements 0.68372
published_at 2026-04-08T12:55:00Z
11
value 0.00563
scoring_system epss
scoring_elements 0.68321
published_at 2026-04-07T12:55:00Z
12
value 0.00563
scoring_system epss
scoring_elements 0.68345
published_at 2026-04-04T12:55:00Z
13
value 0.00563
scoring_system epss
scoring_elements 0.68325
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-6762
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6762
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6762
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
5
reference_url https://github.com/jetty/jetty.project/pull/10755
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/10755
6
reference_url https://github.com/jetty/jetty.project/pull/10756
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/10756
7
reference_url https://github.com/jetty/jetty.project/pull/9715
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/9715
8
reference_url https://github.com/jetty/jetty.project/pull/9716
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/9716
9
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
10
reference_url https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
11
reference_url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-6762
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-6762
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085697
reference_id 1085697
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085697
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2318562
reference_id 2318562
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2318562
15
reference_url https://github.com/advisories/GHSA-r7m4-f9h5-gr79
reference_id GHSA-r7m4-f9h5-gr79
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r7m4-f9h5-gr79
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.18
purl pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.18
1
url pkg:maven/org.eclipse.jetty/jetty-servlets@12.0.4
purl pkg:maven/org.eclipse.jetty/jetty-servlets@12.0.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@12.0.4
aliases CVE-2024-6762, GHSA-r7m4-f9h5-gr79
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1ejr-3tea-kydr
1
url VCID-9xw3-4a4u-hbbb
vulnerability_id VCID-9xw3-4a4u-hbbb
summary 
Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-26049
reference_id
reference_type
scores
0
value 0.00335
scoring_system epss
scoring_elements 0.56274
published_at 2026-04-29T12:55:00Z
1
value 0.00335
scoring_system epss
scoring_elements 0.56296
published_at 2026-04-26T12:55:00Z
2
value 0.00335
scoring_system epss
scoring_elements 0.56275
published_at 2026-04-24T12:55:00Z
3
value 0.00335
scoring_system epss
scoring_elements 0.56353
published_at 2026-04-21T12:55:00Z
4
value 0.00346
scoring_system epss
scoring_elements 0.57285
published_at 2026-04-11T12:55:00Z
5
value 0.00346
scoring_system epss
scoring_elements 0.57265
published_at 2026-04-12T12:55:00Z
6
value 0.00346
scoring_system epss
scoring_elements 0.57244
published_at 2026-04-13T12:55:00Z
7
value 0.00346
scoring_system epss
scoring_elements 0.5724
published_at 2026-04-04T12:55:00Z
8
value 0.00346
scoring_system epss
scoring_elements 0.57217
published_at 2026-04-07T12:55:00Z
9
value 0.00346
scoring_system epss
scoring_elements 0.57268
published_at 2026-04-18T12:55:00Z
10
value 0.00346
scoring_system epss
scoring_elements 0.57269
published_at 2026-04-08T12:55:00Z
11
value 0.00346
scoring_system epss
scoring_elements 0.57272
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-26049
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/eclipse/jetty.project
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project
9
reference_url https://github.com/eclipse/jetty.project/pull/9339
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project/pull/9339
10
reference_url https://github.com/eclipse/jetty.project/pull/9352
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project/pull/9352
11
reference_url https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
12
reference_url https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
13
reference_url https://security.netapp.com/advisory/ntap-20230526-0001
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20230526-0001
14
reference_url https://security.netapp.com/advisory/ntap-20230526-0001/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20230526-0001/
15
reference_url https://www.debian.org/security/2023/dsa-5507
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5507
16
reference_url https://www.rfc-editor.org/rfc/rfc2965
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.rfc-editor.org/rfc/rfc2965
17
reference_url https://www.rfc-editor.org/rfc/rfc6265
reference_id
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://www.rfc-editor.org/rfc/rfc6265
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2236341
reference_id 2236341
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2236341
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-26049
reference_id CVE-2023-26049
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-26049
20
reference_url https://github.com/advisories/GHSA-p26g-97m4-6q7c
reference_id GHSA-p26g-97m4-6q7c
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p26g-97m4-6q7c
21
reference_url https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
reference_id GHSA-p26g-97m4-6q7c
reference_type
scores
0
value 2.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
22
reference_url https://access.redhat.com/errata/RHSA-2023:5165
reference_id RHSA-2023:5165
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:5165
23
reference_url https://access.redhat.com/errata/RHSA-2023:5441
reference_id RHSA-2023:5441
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:5441
24
reference_url https://access.redhat.com/errata/RHSA-2024:0778
reference_id RHSA-2024:0778
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0778
25
reference_url https://access.redhat.com/errata/RHSA-2024:0797
reference_id RHSA-2024:0797
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0797
26
reference_url https://access.redhat.com/errata/RHSA-2024:3385
reference_id RHSA-2024:3385
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3385
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.14
purl pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ejr-3tea-kydr
1
vulnerability VCID-memq-11qz-9qem
2
vulnerability VCID-q3k2-1x5q-buhy
3
vulnerability VCID-rpc4-u4aq-4qde
4
vulnerability VCID-thpu-76e5-j3d3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.14
aliases CVE-2023-26049, GHSA-p26g-97m4-6q7c
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9xw3-4a4u-hbbb
2
url VCID-memq-11qz-9qem
vulnerability_id VCID-memq-11qz-9qem
summary 
Eclipse Jetty has a denial of service vulnerability on DosFilter
Description
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.


Vulnerability details
The Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server.  The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds.  The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.


Impact
Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.


Patches
The DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.


Patched releases:

  *  9.4.54
  *  10.0.18
  *  11.0.18
  *  12.0.3
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9823.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9823.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-9823
reference_id
reference_type
scores
0
value 0.0068
scoring_system epss
scoring_elements 0.71664
published_at 2026-04-29T12:55:00Z
1
value 0.0068
scoring_system epss
scoring_elements 0.71659
published_at 2026-04-26T12:55:00Z
2
value 0.0068
scoring_system epss
scoring_elements 0.71654
published_at 2026-04-24T12:55:00Z
3
value 0.0068
scoring_system epss
scoring_elements 0.71543
published_at 2026-04-02T12:55:00Z
4
value 0.0068
scoring_system epss
scoring_elements 0.71618
published_at 2026-04-16T12:55:00Z
5
value 0.0068
scoring_system epss
scoring_elements 0.71592
published_at 2026-04-12T12:55:00Z
6
value 0.0068
scoring_system epss
scoring_elements 0.71608
published_at 2026-04-11T12:55:00Z
7
value 0.0068
scoring_system epss
scoring_elements 0.71585
published_at 2026-04-09T12:55:00Z
8
value 0.0068
scoring_system epss
scoring_elements 0.71574
published_at 2026-04-13T12:55:00Z
9
value 0.0068
scoring_system epss
scoring_elements 0.71534
published_at 2026-04-07T12:55:00Z
10
value 0.0068
scoring_system epss
scoring_elements 0.71561
published_at 2026-04-04T12:55:00Z
11
value 0.0068
scoring_system epss
scoring_elements 0.71604
published_at 2026-04-21T12:55:00Z
12
value 0.0068
scoring_system epss
scoring_elements 0.71623
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-9823
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9823
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9823
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
5
reference_url https://github.com/jetty/jetty.project/issues/1256
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:46:11Z/
url https://github.com/jetty/jetty.project/issues/1256
6
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:46:11Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
7
reference_url https://gitlab.eclipse.org/security/cve-assignement/-/issues/39
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:46:11Z/
url https://gitlab.eclipse.org/security/cve-assignement/-/issues/39
8
reference_url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-9823
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-9823
10
reference_url https://security.netapp.com/advisory/ntap-20250306-0006
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250306-0006
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2318565
reference_id 2318565
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2318565
12
reference_url https://github.com/advisories/GHSA-j26w-f9rq-mr2q
reference_id GHSA-j26w-f9rq-mr2q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j26w-f9rq-mr2q
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.18
purl pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.18
aliases CVE-2024-9823, GHSA-j26w-f9rq-mr2q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-memq-11qz-9qem
3
url VCID-q3k2-1x5q-buhy
vulnerability_id VCID-q3k2-1x5q-buhy
summary 
Improper Handling of Length Parameter Inconsistency
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40167.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40167.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40167
reference_id
reference_type
scores
0
value 0.04833
scoring_system epss
scoring_elements 0.89547
published_at 2026-04-29T12:55:00Z
1
value 0.04833
scoring_system epss
scoring_elements 0.89484
published_at 2026-04-02T12:55:00Z
2
value 0.04833
scoring_system epss
scoring_elements 0.89495
published_at 2026-04-04T12:55:00Z
3
value 0.04833
scoring_system epss
scoring_elements 0.89496
published_at 2026-04-07T12:55:00Z
4
value 0.04833
scoring_system epss
scoring_elements 0.89512
published_at 2026-04-08T12:55:00Z
5
value 0.04833
scoring_system epss
scoring_elements 0.89515
published_at 2026-04-09T12:55:00Z
6
value 0.04833
scoring_system epss
scoring_elements 0.89523
published_at 2026-04-11T12:55:00Z
7
value 0.04833
scoring_system epss
scoring_elements 0.8952
published_at 2026-04-12T12:55:00Z
8
value 0.04833
scoring_system epss
scoring_elements 0.89516
published_at 2026-04-13T12:55:00Z
9
value 0.04833
scoring_system epss
scoring_elements 0.8953
published_at 2026-04-16T12:55:00Z
10
value 0.04833
scoring_system epss
scoring_elements 0.89531
published_at 2026-04-18T12:55:00Z
11
value 0.04833
scoring_system epss
scoring_elements 0.89528
published_at 2026-04-21T12:55:00Z
12
value 0.04833
scoring_system epss
scoring_elements 0.89543
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40167
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/eclipse/jetty.project
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project
9
reference_url https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/
url https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
10
reference_url https://www.debian.org/security/2023/dsa-5507
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/
url https://www.debian.org/security/2023/dsa-5507
11
reference_url https://www.rfc-editor.org/rfc/rfc9110#section-8.6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/
url https://www.rfc-editor.org/rfc/rfc9110#section-8.6
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2239634
reference_id 2239634
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2239634
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40167
reference_id CVE-2023-40167
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40167
14
reference_url https://github.com/advisories/GHSA-hmr7-m48g-48f6
reference_id GHSA-hmr7-m48g-48f6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hmr7-m48g-48f6
15
reference_url https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
reference_id GHSA-hmr7-m48g-48f6
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/
url https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
16
reference_url https://access.redhat.com/errata/RHSA-2023:5441
reference_id RHSA-2023:5441
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:5441
17
reference_url https://access.redhat.com/errata/RHSA-2023:5780
reference_id RHSA-2023:5780
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:5780
18
reference_url https://access.redhat.com/errata/RHSA-2023:5946
reference_id RHSA-2023:5946
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:5946
19
reference_url https://access.redhat.com/errata/RHSA-2023:7678
reference_id RHSA-2023:7678
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7678
20
reference_url https://access.redhat.com/errata/RHSA-2023:7697
reference_id RHSA-2023:7697
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7697
21
reference_url https://access.redhat.com/errata/RHSA-2024:0778
reference_id RHSA-2024:0778
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0778
22
reference_url https://access.redhat.com/errata/RHSA-2024:0797
reference_id RHSA-2024:0797
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0797
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
purl pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ejr-3tea-kydr
1
vulnerability VCID-memq-11qz-9qem
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
aliases CVE-2023-40167, GHSA-hmr7-m48g-48f6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q3k2-1x5q-buhy
4
url VCID-rpc4-u4aq-4qde
vulnerability_id VCID-rpc4-u4aq-4qde
summary 
Jetty's OpenId Revoked authentication allows one request
If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated.

So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-41900.json
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-41900.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-41900
reference_id
reference_type
scores
0
value 0.00131
scoring_system epss
scoring_elements 0.32288
published_at 2026-04-29T12:55:00Z
1
value 0.00131
scoring_system epss
scoring_elements 0.32372
published_at 2026-04-26T12:55:00Z
2
value 0.00131
scoring_system epss
scoring_elements 0.32487
published_at 2026-04-24T12:55:00Z
3
value 0.00131
scoring_system epss
scoring_elements 0.32642
published_at 2026-04-21T12:55:00Z
4
value 0.00131
scoring_system epss
scoring_elements 0.32671
published_at 2026-04-18T12:55:00Z
5
value 0.00131
scoring_system epss
scoring_elements 0.32695
published_at 2026-04-16T12:55:00Z
6
value 0.00131
scoring_system epss
scoring_elements 0.32656
published_at 2026-04-13T12:55:00Z
7
value 0.00131
scoring_system epss
scoring_elements 0.32684
published_at 2026-04-12T12:55:00Z
8
value 0.00131
scoring_system epss
scoring_elements 0.32721
published_at 2026-04-11T12:55:00Z
9
value 0.00131
scoring_system epss
scoring_elements 0.3272
published_at 2026-04-09T12:55:00Z
10
value 0.00131
scoring_system epss
scoring_elements 0.32694
published_at 2026-04-08T12:55:00Z
11
value 0.00131
scoring_system epss
scoring_elements 0.32646
published_at 2026-04-07T12:55:00Z
12
value 0.00131
scoring_system epss
scoring_elements 0.32789
published_at 2026-04-02T12:55:00Z
13
value 0.00131
scoring_system epss
scoring_elements 0.32825
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-41900
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/eclipse/jetty.project
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project
9
reference_url https://github.com/eclipse/jetty.project/pull/9528
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T16:17:02Z/
url https://github.com/eclipse/jetty.project/pull/9528
10
reference_url https://github.com/eclipse/jetty.project/pull/9660
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T16:17:02Z/
url https://github.com/eclipse/jetty.project/pull/9660
11
reference_url https://security.netapp.com/advisory/ntap-20231110-0004
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231110-0004
12
reference_url https://www.debian.org/security/2023/dsa-5507
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T16:17:02Z/
url https://www.debian.org/security/2023/dsa-5507
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2247052
reference_id 2247052
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2247052
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-41900
reference_id CVE-2023-41900
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-41900
15
reference_url https://github.com/advisories/GHSA-pwh8-58vv-vw48
reference_id GHSA-pwh8-58vv-vw48
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pwh8-58vv-vw48
16
reference_url https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
reference_id GHSA-pwh8-58vv-vw48
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T16:17:02Z/
url https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
17
reference_url https://security.netapp.com/advisory/ntap-20231110-0004/
reference_id ntap-20231110-0004
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T16:17:02Z/
url https://security.netapp.com/advisory/ntap-20231110-0004/
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
purl pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ejr-3tea-kydr
1
vulnerability VCID-memq-11qz-9qem
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
aliases CVE-2023-41900, GHSA-pwh8-58vv-vw48
risk_score 1.6
exploitability 0.5
weighted_severity 3.1
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rpc4-u4aq-4qde
5
url VCID-thpu-76e5-j3d3
vulnerability_id VCID-thpu-76e5-j3d3
summary 
Jetty vulnerable to errant command quoting in CGI Servlet
If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.

```java
if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" "))
execCmd = "\"" + execCmd + "\"";
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36479.json
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36479.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-36479
reference_id
reference_type
scores
0
value 0.01383
scoring_system epss
scoring_elements 0.80385
published_at 2026-04-29T12:55:00Z
1
value 0.01383
scoring_system epss
scoring_elements 0.80255
published_at 2026-04-02T12:55:00Z
2
value 0.01383
scoring_system epss
scoring_elements 0.80276
published_at 2026-04-04T12:55:00Z
3
value 0.01383
scoring_system epss
scoring_elements 0.80264
published_at 2026-04-07T12:55:00Z
4
value 0.01383
scoring_system epss
scoring_elements 0.80291
published_at 2026-04-08T12:55:00Z
5
value 0.01383
scoring_system epss
scoring_elements 0.80302
published_at 2026-04-09T12:55:00Z
6
value 0.01383
scoring_system epss
scoring_elements 0.80321
published_at 2026-04-11T12:55:00Z
7
value 0.01383
scoring_system epss
scoring_elements 0.80306
published_at 2026-04-12T12:55:00Z
8
value 0.01383
scoring_system epss
scoring_elements 0.803
published_at 2026-04-13T12:55:00Z
9
value 0.01383
scoring_system epss
scoring_elements 0.8033
published_at 2026-04-16T12:55:00Z
10
value 0.01383
scoring_system epss
scoring_elements 0.80332
published_at 2026-04-18T12:55:00Z
11
value 0.01383
scoring_system epss
scoring_elements 0.80336
published_at 2026-04-21T12:55:00Z
12
value 0.01383
scoring_system epss
scoring_elements 0.80362
published_at 2026-04-24T12:55:00Z
13
value 0.01383
scoring_system epss
scoring_elements 0.80368
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-36479
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/eclipse/jetty.project
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/eclipse/jetty.project
9
reference_url https://github.com/eclipse/jetty.project/pull/9516
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:04:27Z/
url https://github.com/eclipse/jetty.project/pull/9516
10
reference_url https://github.com/eclipse/jetty.project/pull/9888
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:04:27Z/
url https://github.com/eclipse/jetty.project/pull/9888
11
reference_url https://github.com/eclipse/jetty.project/pull/9889
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:04:27Z/
url https://github.com/eclipse/jetty.project/pull/9889
12
reference_url https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:04:27Z/
url https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
13
reference_url https://www.debian.org/security/2023/dsa-5507
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:04:27Z/
url https://www.debian.org/security/2023/dsa-5507
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2239630
reference_id 2239630
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2239630
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36479
reference_id CVE-2023-36479
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-36479
16
reference_url https://github.com/advisories/GHSA-3gh6-v5v9-6v9j
reference_id GHSA-3gh6-v5v9-6v9j
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3gh6-v5v9-6v9j
17
reference_url https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
reference_id GHSA-3gh6-v5v9-6v9j
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:04:27Z/
url https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
18
reference_url https://access.redhat.com/errata/RHSA-2024:0797
reference_id RHSA-2024:0797
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0797
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
purl pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ejr-3tea-kydr
1
vulnerability VCID-memq-11qz-9qem
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.16
aliases CVE-2023-36479, GHSA-3gh6-v5v9-6v9j
risk_score 1.6
exploitability 0.5
weighted_severity 3.1
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-thpu-76e5-j3d3
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-servlets@11.0.4