Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dtzg-44zp-cqds
Vulnerability ID VCID-dtzg-44zp-cqds
Aliases CVE-2023-26048
GHSA-qw69-rqj8-6qw8
Summary OutOfMemoryError for large multipart without filename in Eclipse Jetty ### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json
epss 0.41634 https://api.first.org/data/v1/epss?cve=CVE-2023-26048
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.3 https://github.com/eclipse/jetty.project
generic_textual MODERATE https://github.com/eclipse/jetty.project
cvssv3.1 5.3 https://github.com/eclipse/jetty.project/issues/9076
generic_textual MODERATE https://github.com/eclipse/jetty.project/issues/9076
ssvc Track https://github.com/eclipse/jetty.project/issues/9076
cvssv3.1 5.3 https://github.com/eclipse/jetty.project/pull/9344
generic_textual MODERATE https://github.com/eclipse/jetty.project/pull/9344
ssvc Track https://github.com/eclipse/jetty.project/pull/9344
cvssv3.1 5.3 https://github.com/eclipse/jetty.project/pull/9345
generic_textual MODERATE https://github.com/eclipse/jetty.project/pull/9345
ssvc Track https://github.com/eclipse/jetty.project/pull/9345
cvssv3.1 5.3 https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
generic_textual MODERATE https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
cvssv3.1 5.3 https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
generic_textual MODERATE https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
ssvc Track https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
cvssv3.1 5.3 https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
generic_textual MODERATE https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
ssvc Track https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
cvssv3.1 5.3 https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2023-26048
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-26048
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20230526-0001
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20230526-0001
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20230526-0001/
ssvc Track https://security.netapp.com/advisory/ntap-20230526-0001/
cvssv3.1 5.3 https://www.debian.org/security/2023/dsa-5507
generic_textual MODERATE https://www.debian.org/security/2023/dsa-5507
ssvc Track https://www.debian.org/security/2023/dsa-5507
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json
https://api.first.org/data/v1/epss?cve=CVE-2023-26048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/eclipse/jetty.project
https://github.com/eclipse/jetty.project/issues/9076
https://github.com/eclipse/jetty.project/pull/9344
https://github.com/eclipse/jetty.project/pull/9345
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
https://nvd.nist.gov/vuln/detail/CVE-2023-26048
https://security.netapp.com/advisory/ntap-20230526-0001
https://www.debian.org/security/2023/dsa-5507
2236340 https://bugzilla.redhat.com/show_bug.cgi?id=2236340
GHSA-qw69-rqj8-6qw8 https://github.com/advisories/GHSA-qw69-rqj8-6qw8
ntap-20230526-0001 https://security.netapp.com/advisory/ntap-20230526-0001/
RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165
RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441
RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
RHSA-2024:3385 https://access.redhat.com/errata/RHSA-2024:3385
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26048.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/issues/9076
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/issues/9076
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/pull/9344
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/pull/9344
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/pull/9345
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/pull/9345
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-26048
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20230526-0001
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20230526-0001/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://security.netapp.com/advisory/ntap-20230526-0001/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.debian.org/security/2023/dsa-5507
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T19:43:53Z/ Found at https://www.debian.org/security/2023/dsa-5507
Exploit Prediction Scoring System (EPSS)
Percentile 0.97479
EPSS Score 0.41634
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T09:04:12.374347+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json 38.6.0