What is CVE-2020-27223?

CVE-2020-27223 is a medium-severity vulnerability in The Eclipse Foundation Jetty, classified under Inefficient Algorithmic Complexity. CVSS score: 5.2/10. Published 2021-02-26.

How severe is CVE-2020-27223?

Medium severity. CVSS v3 base score is 5.2 out of 10.

Is CVE-2020-27223 known to be exploited?

15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in The Eclipse Foundation Jetty

CVE-2020-27223

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of ser…

EPSS: 0.779 (99.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.2 (Medium). Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H.

Affected products

The Eclipse Foundation Jetty — versions 9.4.6.v20170531, unspecified, 10.0.0

Weakness classification (CWE)

CWE-407 — Inefficient Algorithmic Complexity

Public proof-of-concept exploits

References

bugs.eclipse.org/bugs/show_bug.cgi (x_refsource_CONFIRM)
github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7 (x_refsource_CONFIRM)
[karaf-user] 20210301 Re: Jetty security defect (mailing-list, x_refsource_MLIST)
[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 (mailing-list, x_refsource_MLIST)
[kafka-dev] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 (mailing-list, x_refsource_MLIST)
[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr opened a new pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 (mailing-list, x_refsource_MLIST)
[kafka-jira] 20210302 [jira] [Created] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 (mailing-list, x_refsource_MLIST)
[druid-commits] 20210302 [GitHub] [druid] a2l007 opened a new pull request #10937: Upgrade jetty to latest version (mailing-list, x_refsource_MLIST)
[kafka-jira] 20210302 [GitHub] [kafka] ableegoldman commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 (mailing-list, x_refsource_MLIST)
[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2020-27223?: CVE-2020-27223 is a medium-severity vulnerability in The Eclipse Foundation Jetty, classified under Inefficient Algorithmic Complexity. CVSS score: 5.2/10. Published 2021-02-26.
How severe is CVE-2020-27223?: Medium severity. CVSS v3 base score is 5.2 out of 10.
Is CVE-2020-27223 known to be exploited?: 15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.