CVE-2023-36479

CWE-1497 documents6 sources

Severity

3.1LOW

EPSS

1.4%

top 19.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jetty Eclipse Jetty.project Debian Debian Linux

Timeline

PublishedSep 15

Latest updateSep 19

Description

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary na…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages7 packages

▶Mavenorg.eclipse.jetty:jetty-servlets9.0.0 — 9.4.52+2

▶Mavenorg.eclipse.jetty.ee8:jetty-ee8-servlets< 12.0.0-beta2

▶Mavenorg.eclipse.jetty.ee9:jetty-ee9-servlets< 12.0.0-beta2

▶Mavenorg.eclipse.jetty.ee10:jetty-ee10-servlets< 12.0.0-beta2

▶CVEListV5eclipse/jetty.project12.0.0-beta1+3

Also affects: Debian Linux 10.0, 11.0, 12.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Jetty vulnerable to errant command quoting in CGI Servlet↗2023-09-15

▶

OSV

CVE-2023-36479: Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project↗2023-09-15

▶

OSV

Jetty vulnerable to errant command quoting in CGI Servlet↗2023-09-14

▶

GHSA

Jetty vulnerable to errant command quoting in CGI Servlet↗2023-09-14

▶

📋Vendor Advisories

Red Hat

jetty: Improper addition of quotation marks to user inputs in CgiServlet↗2023-09-19

▶

Debian

CVE-2023-36479: jetty9 - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty pro...↗2023

▶