SB20260507308 - SUSE update for jetty-minimal
Published: May 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-2332)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in the chunked transfer encoding extension parser when parsing quoted strings in HTTP/1.1 chunked transfer encoding extension values. A remote attacker can send a specially crafted chunked HTTP request to inject arbitrary HTTP requests.
The issue occurs because CRLF sequences inside quoted strings are treated as chunk header terminators instead of parsing errors.
2) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-5795)
CWE-ID: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to sensitive information in resource not removed before reuse in JaspiAuthenticator.java when handling certain error or incomplete authentication flows. A remote attacker can trigger a request sequence that leaves residual authentication metadata in ThreadLocal storage to escalate privileges.
A subsequent unprivileged request processed by the same worker thread may inherit residual security roles if a mandatory CallerPrincipalCallback is missing or an exception occurs after a GroupPrincipalCallback has been persisted.
Remediation
Install update from vendor's website.