openEuler 20.03 LTS SP4 update for jetty
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-26048 CVE-2023-36479 CVE-2023-40167 |
| CWE-ID | CWE-400 CWE-20 CWE-444 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system jetty-xml Operating systems & Components / Operating system package or component jetty-websocket-servlet Operating systems & Components / Operating system package or component jetty-websocket-server Operating systems & Components / Operating system package or component jetty-websocket-common Operating systems & Components / Operating system package or component jetty-websocket-client Operating systems & Components / Operating system package or component jetty-websocket-api Operating systems & Components / Operating system package or component jetty-webapp Operating systems & Components / Operating system package or component jetty-util-ajax Operating systems & Components / Operating system package or component jetty-util Operating systems & Components / Operating system package or component jetty-unixsocket Operating systems & Components / Operating system package or component jetty-start Operating systems & Components / Operating system package or component jetty-spring Operating systems & Components / Operating system package or component jetty-servlets Operating systems & Components / Operating system package or component jetty-servlet Operating systems & Components / Operating system package or component jetty-server Operating systems & Components / Operating system package or component jetty-security Operating systems & Components / Operating system package or component jetty-rewrite Operating systems & Components / Operating system package or component jetty-quickstart Operating systems & Components / Operating system package or component jetty-proxy Operating systems & Components / Operating system package or component jetty-project Operating systems & Components / Operating system package or component jetty-plus Operating systems & Components / Operating system package or component jetty-osgi-boot-warurl Operating systems & Components / Operating system package or component jetty-osgi-boot-jsp Operating systems & Components / Operating system package or component jetty-osgi-boot Operating systems & Components / Operating system package or component jetty-osgi-alpn Operating systems & Components / Operating system package or component jetty-nosql Operating systems & Components / Operating system package or component jetty-maven-plugin Operating systems & Components / Operating system package or component jetty-jstl Operating systems & Components / Operating system package or component jetty-jspc-maven-plugin Operating systems & Components / Operating system package or component jetty-jsp Operating systems & Components / Operating system package or component jetty-jndi Operating systems & Components / Operating system package or component jetty-jmx Operating systems & Components / Operating system package or component jetty-javax-websocket-server-impl Operating systems & Components / Operating system package or component jetty-javax-websocket-client-impl Operating systems & Components / Operating system package or component jetty-javadoc Operating systems & Components / Operating system package or component jetty-jaspi Operating systems & Components / Operating system package or component jetty-jaas Operating systems & Components / Operating system package or component jetty-io Operating systems & Components / Operating system package or component jetty-infinispan Operating systems & Components / Operating system package or component jetty-httpservice Operating systems & Components / Operating system package or component jetty-http2-server Operating systems & Components / Operating system package or component jetty-http2-http-client-transport Operating systems & Components / Operating system package or component jetty-http2-hpack Operating systems & Components / Operating system package or component jetty-http2-common Operating systems & Components / Operating system package or component jetty-http2-client Operating systems & Components / Operating system package or component jetty-http-spi Operating systems & Components / Operating system package or component jetty-http Operating systems & Components / Operating system package or component jetty-fcgi-server Operating systems & Components / Operating system package or component jetty-fcgi-client Operating systems & Components / Operating system package or component jetty-deploy Operating systems & Components / Operating system package or component jetty-continuation Operating systems & Components / Operating system package or component jetty-client Operating systems & Components / Operating system package or component jetty-cdi Operating systems & Components / Operating system package or component jetty-ant Operating systems & Components / Operating system package or component jetty-annotations Operating systems & Components / Operating system package or component jetty-alpn-server Operating systems & Components / Operating system package or component jetty-alpn-client Operating systems & Components / Operating system package or component jetty Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU75218
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-26048
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing multipart requests in request.getParameter(). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP4
jetty-xml: before 9.4.16-7
jetty-websocket-servlet: before 9.4.16-7
jetty-websocket-server: before 9.4.16-7
jetty-websocket-common: before 9.4.16-7
jetty-websocket-client: before 9.4.16-7
jetty-websocket-api: before 9.4.16-7
jetty-webapp: before 9.4.16-7
jetty-util-ajax: before 9.4.16-7
jetty-util: before 9.4.16-7
jetty-unixsocket: before 9.4.16-7
jetty-start: before 9.4.16-7
jetty-spring: before 9.4.16-7
jetty-servlets: before 9.4.16-7
jetty-servlet: before 9.4.16-7
jetty-server: before 9.4.16-7
jetty-security: before 9.4.16-7
jetty-rewrite: before 9.4.16-7
jetty-quickstart: before 9.4.16-7
jetty-proxy: before 9.4.16-7
jetty-project: before 9.4.16-7
jetty-plus: before 9.4.16-7
jetty-osgi-boot-warurl: before 9.4.16-7
jetty-osgi-boot-jsp: before 9.4.16-7
jetty-osgi-boot: before 9.4.16-7
jetty-osgi-alpn: before 9.4.16-7
jetty-nosql: before 9.4.16-7
jetty-maven-plugin: before 9.4.16-7
jetty-jstl: before 9.4.16-7
jetty-jspc-maven-plugin: before 9.4.16-7
jetty-jsp: before 9.4.16-7
jetty-jndi: before 9.4.16-7
jetty-jmx: before 9.4.16-7
jetty-javax-websocket-server-impl: before 9.4.16-7
jetty-javax-websocket-client-impl: before 9.4.16-7
jetty-javadoc: before 9.4.16-7
jetty-jaspi: before 9.4.16-7
jetty-jaas: before 9.4.16-7
jetty-io: before 9.4.16-7
jetty-infinispan: before 9.4.16-7
jetty-httpservice: before 9.4.16-7
jetty-http2-server: before 9.4.16-7
jetty-http2-http-client-transport: before 9.4.16-7
jetty-http2-hpack: before 9.4.16-7
jetty-http2-common: before 9.4.16-7
jetty-http2-client: before 9.4.16-7
jetty-http-spi: before 9.4.16-7
jetty-http: before 9.4.16-7
jetty-fcgi-server: before 9.4.16-7
jetty-fcgi-client: before 9.4.16-7
jetty-deploy: before 9.4.16-7
jetty-continuation: before 9.4.16-7
jetty-client: before 9.4.16-7
jetty-cdi: before 9.4.16-7
jetty-ant: before 9.4.16-7
jetty-annotations: before 9.4.16-7
jetty-alpn-server: before 9.4.16-7
jetty-alpn-client: before 9.4.16-7
jetty: before 9.4.16-7
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:jetty-xml:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-api:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-webapp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-util-ajax:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-util:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-unixsocket:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-start:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-spring:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-servlets:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-security:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-rewrite:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-quickstart:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-proxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-project:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-plus:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot-warurl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-alpn:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-nosql:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jstl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jspc-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jndi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jmx:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javax-websocket-server-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javax-websocket-client-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jaspi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jaas:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-io:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-infinispan:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-httpservice:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-http-client-transport:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-hpack:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http-spi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-fcgi-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-fcgi-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-deploy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-continuation:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-cdi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-ant:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-annotations:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-alpn-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-alpn-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU80792
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-36479
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in org.eclipse.jetty.servlets.CGI Servlet when quoting a command before its execution. A remote user can force the application to execute arbitrary file on the server and potentially compromise the system.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP4
jetty-xml: before 9.4.16-7
jetty-websocket-servlet: before 9.4.16-7
jetty-websocket-server: before 9.4.16-7
jetty-websocket-common: before 9.4.16-7
jetty-websocket-client: before 9.4.16-7
jetty-websocket-api: before 9.4.16-7
jetty-webapp: before 9.4.16-7
jetty-util-ajax: before 9.4.16-7
jetty-util: before 9.4.16-7
jetty-unixsocket: before 9.4.16-7
jetty-start: before 9.4.16-7
jetty-spring: before 9.4.16-7
jetty-servlets: before 9.4.16-7
jetty-servlet: before 9.4.16-7
jetty-server: before 9.4.16-7
jetty-security: before 9.4.16-7
jetty-rewrite: before 9.4.16-7
jetty-quickstart: before 9.4.16-7
jetty-proxy: before 9.4.16-7
jetty-project: before 9.4.16-7
jetty-plus: before 9.4.16-7
jetty-osgi-boot-warurl: before 9.4.16-7
jetty-osgi-boot-jsp: before 9.4.16-7
jetty-osgi-boot: before 9.4.16-7
jetty-osgi-alpn: before 9.4.16-7
jetty-nosql: before 9.4.16-7
jetty-maven-plugin: before 9.4.16-7
jetty-jstl: before 9.4.16-7
jetty-jspc-maven-plugin: before 9.4.16-7
jetty-jsp: before 9.4.16-7
jetty-jndi: before 9.4.16-7
jetty-jmx: before 9.4.16-7
jetty-javax-websocket-server-impl: before 9.4.16-7
jetty-javax-websocket-client-impl: before 9.4.16-7
jetty-javadoc: before 9.4.16-7
jetty-jaspi: before 9.4.16-7
jetty-jaas: before 9.4.16-7
jetty-io: before 9.4.16-7
jetty-infinispan: before 9.4.16-7
jetty-httpservice: before 9.4.16-7
jetty-http2-server: before 9.4.16-7
jetty-http2-http-client-transport: before 9.4.16-7
jetty-http2-hpack: before 9.4.16-7
jetty-http2-common: before 9.4.16-7
jetty-http2-client: before 9.4.16-7
jetty-http-spi: before 9.4.16-7
jetty-http: before 9.4.16-7
jetty-fcgi-server: before 9.4.16-7
jetty-fcgi-client: before 9.4.16-7
jetty-deploy: before 9.4.16-7
jetty-continuation: before 9.4.16-7
jetty-client: before 9.4.16-7
jetty-cdi: before 9.4.16-7
jetty-ant: before 9.4.16-7
jetty-annotations: before 9.4.16-7
jetty-alpn-server: before 9.4.16-7
jetty-alpn-client: before 9.4.16-7
jetty: before 9.4.16-7
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:jetty-xml:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-api:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-webapp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-util-ajax:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-util:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-unixsocket:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-start:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-spring:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-servlets:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-security:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-rewrite:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-quickstart:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-proxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-project:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-plus:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot-warurl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-alpn:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-nosql:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jstl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jspc-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jndi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jmx:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javax-websocket-server-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javax-websocket-client-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jaspi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jaas:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-io:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-infinispan:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-httpservice:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-http-client-transport:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-hpack:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http-spi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-fcgi-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-fcgi-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-deploy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-continuation:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-cdi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-ant:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-annotations:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-alpn-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-alpn-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU80791
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-40167
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests when handling the "+" character passed via the HTTP/1 header field. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP4
jetty-xml: before 9.4.16-7
jetty-websocket-servlet: before 9.4.16-7
jetty-websocket-server: before 9.4.16-7
jetty-websocket-common: before 9.4.16-7
jetty-websocket-client: before 9.4.16-7
jetty-websocket-api: before 9.4.16-7
jetty-webapp: before 9.4.16-7
jetty-util-ajax: before 9.4.16-7
jetty-util: before 9.4.16-7
jetty-unixsocket: before 9.4.16-7
jetty-start: before 9.4.16-7
jetty-spring: before 9.4.16-7
jetty-servlets: before 9.4.16-7
jetty-servlet: before 9.4.16-7
jetty-server: before 9.4.16-7
jetty-security: before 9.4.16-7
jetty-rewrite: before 9.4.16-7
jetty-quickstart: before 9.4.16-7
jetty-proxy: before 9.4.16-7
jetty-project: before 9.4.16-7
jetty-plus: before 9.4.16-7
jetty-osgi-boot-warurl: before 9.4.16-7
jetty-osgi-boot-jsp: before 9.4.16-7
jetty-osgi-boot: before 9.4.16-7
jetty-osgi-alpn: before 9.4.16-7
jetty-nosql: before 9.4.16-7
jetty-maven-plugin: before 9.4.16-7
jetty-jstl: before 9.4.16-7
jetty-jspc-maven-plugin: before 9.4.16-7
jetty-jsp: before 9.4.16-7
jetty-jndi: before 9.4.16-7
jetty-jmx: before 9.4.16-7
jetty-javax-websocket-server-impl: before 9.4.16-7
jetty-javax-websocket-client-impl: before 9.4.16-7
jetty-javadoc: before 9.4.16-7
jetty-jaspi: before 9.4.16-7
jetty-jaas: before 9.4.16-7
jetty-io: before 9.4.16-7
jetty-infinispan: before 9.4.16-7
jetty-httpservice: before 9.4.16-7
jetty-http2-server: before 9.4.16-7
jetty-http2-http-client-transport: before 9.4.16-7
jetty-http2-hpack: before 9.4.16-7
jetty-http2-common: before 9.4.16-7
jetty-http2-client: before 9.4.16-7
jetty-http-spi: before 9.4.16-7
jetty-http: before 9.4.16-7
jetty-fcgi-server: before 9.4.16-7
jetty-fcgi-client: before 9.4.16-7
jetty-deploy: before 9.4.16-7
jetty-continuation: before 9.4.16-7
jetty-client: before 9.4.16-7
jetty-cdi: before 9.4.16-7
jetty-ant: before 9.4.16-7
jetty-annotations: before 9.4.16-7
jetty-alpn-server: before 9.4.16-7
jetty-alpn-client: before 9.4.16-7
jetty: before 9.4.16-7
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:jetty-xml:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-websocket-api:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-webapp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-util-ajax:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-util:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-unixsocket:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-start:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-spring:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-servlets:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-security:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-rewrite:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-quickstart:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-proxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-project:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-plus:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot-warurl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-boot:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-osgi-alpn:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-nosql:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jstl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jspc-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jndi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jmx:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javax-websocket-server-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javax-websocket-client-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jaspi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-jaas:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-io:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-infinispan:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-httpservice:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-http-client-transport:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-hpack:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http2-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http-spi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-http:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-fcgi-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-fcgi-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-deploy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-continuation:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-cdi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-ant:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-annotations:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-alpn-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty-alpn-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:jetty:*:*:*:*:*:openeuler:*:*
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2268
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
