CVE-2020-27223

CWE-407CWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
5.3MEDIUM
EPSS
33.8%
top 3.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
THE Eclipse Foundation Eclipse JettyEclipse JettyOracle Rest Data Services+5 more
Timeline
PublishedFeb 26
Latest updateApr 15

Description

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:HExploitability: 1.5 | Impact: 3.6

Affected Packages9 packages

Mavenorg.eclipse.jetty:jetty-server9.4.69.4.37+2
NVDeclipse/jetty9.4.79.4.36+4
CVEListV5the_eclipse_foundation/eclipse_jetty9.4.6.v20170531unspecified+3
Debianjetty9< 9.4.38-1+3
NVDoracle/rest_data_services< 20.4.3.050.1904

Also affects: Debian Linux 10.0

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
DOS vulnerability for Quoted Quality CSV headers2021-03-10
GHSA
DOS vulnerability for Quoted Quality CSV headers2021-03-10
OSV
CVE-2020-27223: In Eclipse Jetty 92021-02-26
CVEList
CVE-2020-27223: In Eclipse Jetty 92021-02-26

📋Vendor Advisories

3
Oracle
Oracle Oracle REST Data Services Risk Matrix: General (Eclipse Jetty) — CVE-2020-272232021-04-15
Red Hat
jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS2021-02-26
Debian
CVE-2020-27223: jetty9 - In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11...2020