CVE-2023-36478 — Integer Overflow or Wraparound in Jetty
CWE-190 — Integer Overflow or WraparoundCWE-400 — Uncontrolled Resource Consumption11 documents9 sources
Severity
7.5HIGHNVD
EPSS
1.5%
top 19.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 10
Latest updateJul 15
Description
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflo…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Also affects: Debian Linux 10.0, 11.0, 12.0
Patches
🔴Vulnerability Details
4📋Vendor Advisories
6Oracle
▶
Atlassian▶
CVE-2023-36478: DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server↗2024-01-16
Oracle
▶