Search for vulnerabilities
Vulnerability details: VCID-65kw-jwxu-53f9
Vulnerability ID VCID-65kw-jwxu-53f9
Aliases CVE-2023-26049
GHSA-p26g-97m4-6q7c
Summary Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265
Status Published
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1286 Improper Validation of Syntactic Correctness of Input
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
epss 0.00322 https://api.first.org/data/v1/epss?cve=CVE-2023-26049
cvssv3.1 3.7 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr LOW https://github.com/advisories/GHSA-p26g-97m4-6q7c
cvssv3.1 2.4 https://github.com/eclipse/jetty.project
generic_textual LOW https://github.com/eclipse/jetty.project
cvssv3.1 2.4 https://github.com/eclipse/jetty.project/pull/9339
generic_textual LOW https://github.com/eclipse/jetty.project/pull/9339
cvssv3.1 2.4 https://github.com/eclipse/jetty.project/pull/9352
generic_textual LOW https://github.com/eclipse/jetty.project/pull/9352
cvssv3.1 2.4 https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
generic_textual LOW https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
cvssv3.1 2.4 https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
cvssv3.1_qr LOW https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
generic_textual LOW https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
cvssv3.1 2.4 https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
generic_textual LOW https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
cvssv3.1 2.4 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2023-26049
cvssv3.1 2.4 https://security.netapp.com/advisory/ntap-20230526-0001
generic_textual LOW https://security.netapp.com/advisory/ntap-20230526-0001
cvssv3.1 2.4 https://www.debian.org/security/2023/dsa-5507
generic_textual LOW https://www.debian.org/security/2023/dsa-5507
cvssv3.1 2.4 https://www.rfc-editor.org/rfc/rfc2965
generic_textual LOW https://www.rfc-editor.org/rfc/rfc2965
cvssv3.1 2.4 https://www.rfc-editor.org/rfc/rfc6265
generic_textual LOW https://www.rfc-editor.org/rfc/rfc6265
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json
https://api.first.org/data/v1/epss?cve=CVE-2023-26049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/eclipse/jetty.project
https://github.com/eclipse/jetty.project/pull/9339
https://github.com/eclipse/jetty.project/pull/9352
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
https://nvd.nist.gov/vuln/detail/CVE-2023-26049
https://security.netapp.com/advisory/ntap-20230526-0001
https://www.debian.org/security/2023/dsa-5507
https://www.rfc-editor.org/rfc/rfc2965
https://www.rfc-editor.org/rfc/rfc6265
2236341 https://bugzilla.redhat.com/show_bug.cgi?id=2236341
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:alpha1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:eclipse:jetty:12.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:alpha2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:eclipse:jetty:12.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:alpha3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:eclipse:jetty:12.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
GHSA-p26g-97m4-6q7c https://github.com/advisories/GHSA-p26g-97m4-6q7c
RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165
RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441
RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
RHSA-2024:0797 https://access.redhat.com/errata/RHSA-2024:0797
RHSA-2024:3385 https://access.redhat.com/errata/RHSA-2024:3385
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26049.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/pull/9339
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/pull/9352
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-26049
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-26049
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20230526-0001
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://www.debian.org/security/2023/dsa-5507
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://www.rfc-editor.org/rfc/rfc2965
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N Found at https://www.rfc-editor.org/rfc/rfc6265
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.54553
EPSS Score 0.00322
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:13:51.436725+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json 36.1.3