Debian 10: DLA-3592-1 Important Security Update for Jetty Software
debian lts
September 30, 2023
Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine
Topics Covered
Summary
The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
instead. See also CVE-2023-36479.
CVE-2023-26048
In affected versions servlets with multipart support (e.g. annotated with
`@MultipartConfig`) that call `HttpServletRequest.getParameter()` or
`HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
client sends a multipart request with a part that has a name but no
filename and very large content. This happens even with the default
settings of `fileSizeThreshold=0` which should stream the whole part
content to disk.
CVE-2023-26049
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies, or otherwise perform unintended behavior by
tampering with the cookie parsing mechanism.
CVE-2023-40167
Prior to this version Jetty accepted the `+` character proceeding the
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: jetty9
Version: 9.4.16-0+deb10u3
CVE ID: CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!