Resource exhaustion in Eclipse Jetty.project
CVE-2023-26048
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.434 (97.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
Affected products
- Eclipse Jetty.project — versions < 9.4.51, >= 10.0.0, < 10.0.14, >= 11.0.0, < 11.0.14
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8 (x_refsource_CONFIRM)
- https://github.com/eclipse/jetty.project/issues/9076 (x_refsource_MISC)
- https://github.com/eclipse/jetty.project/pull/9344 (x_refsource_MISC)
- https://github.com/eclipse/jetty.project/pull/9345 (x_refsource_MISC)
- https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload (x_refsource_MISC)
- security.netapp.com/advisory/ntap-20230526-0001/
- www.debian.org/security/2023/dsa-5507
- lists.debian.org/debian-lts-announce/2023/09/msg00039.html
Frequently asked questions
- What is CVE-2023-26048?
- CVE-2023-26048 is a medium-severity vulnerability in Eclipse Jetty.project, classified under Uncontrolled Resource Consumption. CVSS score: 5.3/10. Published 2023-04-18.
- How severe is CVE-2023-26048?
- Medium severity. CVSS v3 base score is 5.3 out of 10.
- Is CVE-2023-26048 known to be exploited?
- 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.