CVE-2023-26048

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation without Limits8 documents7 sources

Severity

5.3MEDIUM

EPSS

40.8%

top 2.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jetty.project Eclipse Jetty

Timeline

PublishedApr 18

Latest updateOct 15

Description

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Mavenorg.eclipse.jetty:jetty-server10.0.0 — 10.0.14+2

▶NVDeclipse/jetty10.0.0 — 10.0.14+2

▶CVEListV5eclipse/jetty.project< 9.4.51+2

▶Debianjetty9< 9.4.39-3+deb11u2+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OutOfMemoryError for large multipart without filename in Eclipse Jetty↗2023-04-19

▶

OSV

OutOfMemoryError for large multipart without filename in Eclipse Jetty↗2023-04-19

▶

OSV

CVE-2023-26048: Jetty is a java based web server and servlet engine↗2023-04-18

▶

CVEList

OutOfMemoryError for large multipart without filename in Eclipse Jetty↗2023-04-18

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Signaling (Eclipse Jetty) — CVE-2023-26048↗2023-10-15

▶

Red Hat

jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()↗2023-04-18

▶

Debian

CVE-2023-26048: jetty9 - Jetty is a java based web server and servlet engine. In affected versions servle...↗2023

▶