cbcvebase.
CVE-2020-27223
published 2021-02-26

CVE-2020-27223: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a…

medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Affected

16 ranges
VendorProductVersion rangeFixed in
apachenifi
apachesolr
apachespark
debiandebian_linux
debianjetty9< jetty9 9.4.38-1 (bookworm)jetty9 9.4.38-1 (bookworm)
eclipsejetty
eclipsejetty
eclipsejetty
eclipsejetty
eclipsejetty>= 9.4.7 < 9.4.369.4.36
netappe-series_santricity_os_controller11.0.0 – 11.70.1
oraclerest_data_services< 20.4.3.050.190420.4.3.050.1904
the_eclipse_foundationeclipse_jetty
the_eclipse_foundationeclipse_jetty
the_eclipse_foundationeclipse_jetty>= 9.4.6.v20170531 < unspecifiedunspecified
the_eclipse_foundationeclipse_jettyunspecified – 9.4.36.v20210114

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM