CVE-2023-26049 — Sensitive Information Exposure in Jetty.project
Severity
5.3MEDIUMNVD
CNA2.4
EPSS
0.3%
top 42.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 18
Latest updateOct 15
Description
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages3 packages
Also affects: Debian Linux 10.0, 11.0, 12.0
Patches
🔴Vulnerability Details
4OSV
▶
CVEList▶
Cookie parsing of quoted values can exfiltrate values from other cookies in Eclipse Jetty↗2023-04-18
GHSA
▶
📋Vendor Advisories
4Oracle
▶
Oracle
▶
Red Hat
▶
Debian▶
CVE-2023-26049: jetty9 - Jetty is a java based web server and servlet engine. Nonstandard cookie parsing ...↗2023