Main Vulnerability Database Vulnerabilities #VU80793

#VU80793 Improper Authorization in Jetty - CVE-2023-41900

Published: September 14, 2023 / Updated: October 12, 2023

Vulnerability identifier: #VU80793

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-41900

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Jetty

Software vendor:
Eclipse

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error in the revocation process. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated.

Remediation

Install updates from vendor's website.

External links

https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
https://github.com/jetty/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48

#VU80793 Improper Authorization in Jetty - CVE-2023-41900

Description

Remediation

External links

Please verify you're human