VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-5e9v-g286-zyd9

Essentials
Severities (43)
References (27)
Severity details (35)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5e9v-g286-zyd9
Aliases	CVE-2023-26048 GHSA-qw69-rqj8-6qw8
Summary	OutOfMemoryError for large multipart without filename in Eclipse Jetty ### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-400	Uncontrolled Resource Consumption
CWE-770	Allocation of Resources Without Limits or Throttling
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
epss	0.4117	https://api.first.org/data/v1/epss?cve=CVE-2023-26048
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-qw69-rqj8-6qw8
cvssv3.1	5.3	https://github.com/eclipse/jetty.project
generic_textual	MODERATE	https://github.com/eclipse/jetty.project
cvssv3.1	5.3	https://github.com/eclipse/jetty.project/issues/9076
generic_textual	MODERATE	https://github.com/eclipse/jetty.project/issues/9076
ssvc	Track	https://github.com/eclipse/jetty.project/issues/9076
cvssv3.1	5.3	https://github.com/eclipse/jetty.project/pull/9344
generic_textual	MODERATE	https://github.com/eclipse/jetty.project/pull/9344
ssvc	Track	https://github.com/eclipse/jetty.project/pull/9344
cvssv3.1	5.3	https://github.com/eclipse/jetty.project/pull/9345
generic_textual	MODERATE	https://github.com/eclipse/jetty.project/pull/9345
ssvc	Track	https://github.com/eclipse/jetty.project/pull/9345
cvssv3.1	5.3	https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
generic_textual	MODERATE	https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
cvssv3.1	5.3	https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
cvssv3.1_qr	MODERATE	https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
generic_textual	MODERATE	https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
ssvc	Track	https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
cvssv3.1	5.3	https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
generic_textual	MODERATE	https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
ssvc	Track	https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
cvssv3.1	5.3	https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
generic_textual	MODERATE	https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2023-26048
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-26048
cvssv3.1	5.3	https://security.netapp.com/advisory/ntap-20230526-0001
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20230526-0001
cvssv3.1	5.3	https://security.netapp.com/advisory/ntap-20230526-0001/
ssvc	Track	https://security.netapp.com/advisory/ntap-20230526-0001/
cvssv3.1	5.3	https://www.debian.org/security/2023/dsa-5507
generic_textual	MODERATE	https://www.debian.org/security/2023/dsa-5507
ssvc	Track	https://www.debian.org/security/2023/dsa-5507

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-26048
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/eclipse/jetty.project
		https://github.com/eclipse/jetty.project/issues/9076
		https://github.com/eclipse/jetty.project/pull/9344
		https://github.com/eclipse/jetty.project/pull/9345
		https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
		https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
		https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
		https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
		https://nvd.nist.gov/vuln/detail/CVE-2023-26048
		https://security.netapp.com/advisory/ntap-20230526-0001
		https://www.debian.org/security/2023/dsa-5507
2236340		https://bugzilla.redhat.com/show_bug.cgi?id=2236340
cpe:2.3:a:eclipse:jetty::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:eclipse:jetty::::::::
GHSA-qw69-rqj8-6qw8		https://github.com/advisories/GHSA-qw69-rqj8-6qw8
ntap-20230526-0001		https://security.netapp.com/advisory/ntap-20230526-0001/
RHSA-2023:5165		https://access.redhat.com/errata/RHSA-2023:5165
RHSA-2023:5441		https://access.redhat.com/errata/RHSA-2023:5441
RHSA-2024:0778		https://access.redhat.com/errata/RHSA-2024:0778
RHSA-2024:3385		https://access.redhat.com/errata/RHSA-2024:3385

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/issues/9076

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/issues/9076

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/pull/9344

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/pull/9344

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/pull/9345

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/pull/9345

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-26048

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20230526-0001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20230526-0001/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://security.netapp.com/advisory/ntap-20230526-0001/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.debian.org/security/2023/dsa-5507

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://www.debian.org/security/2023/dsa-5507

Exploit Prediction Scoring System (EPSS)

Percentile	0.97227
EPSS Score	0.4117
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:13:52.283681+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json	36.1.3