Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2023-26048
HistoryApr 18, 2023 - 9:15 p.m.

CVE-2023-26048

2023-04-1821:15:08
CWE-770
CWE-400
[email protected]
web.nvd.nist.gov
242
jetty
cve-2023-26048
outofmemoryerror
web server
servlet engine
multipart support
security patch
nvd
servlets

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.2

Confidence

High

EPSS

0.002

Percentile

62.1%

JSON

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service โ€“ although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

Affected configurations

Vulners
NVD
Node
eclipsecaliforniumRange<9.4.51
OR
eclipsecaliforniumRange10.0.0โ€“10.0.14
OR
eclipsecaliforniumRange11.0.0โ€“11.0.14
VendorProductVersionCPE
eclipseeclipse_ide*cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*
eclipseeclipse_ide*cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*
eclipseeclipse_ide*cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "eclipse",
    "product": "jetty.project",
    "versions": [
      {
        "version": "< 9.4.51",
        "status": "affected"
      },
      {
        "version": ">= 10.0.0, < 10.0.14",
        "status": "affected"
      },
      {
        "version": ">= 11.0.0, < 11.0.14",
        "status": "affected"
      }
    ]
  }
]

Related

osv 5
ubuntucve 1
nvd 1
ibm 29
githubexploit 1
redhatcve 1
veracode 1
github 1
debiancve 1
wolfi 1
prion 1
cvelist 1
cgr 1
nessus 11
openvas 4
redhat 13
debian 2
oracle 2
osv
osv
OutOfMemoryError for large multipart without filename in Eclipse Jetty
2023-04-19 18:15:45
CVE-2023-26048
2023-04-18 21:15:08
CGA-q672-cgj3-7q4g
2024-06-06 12:28:58
ubuntucve
ubuntucve
CVE-2023-26048
2023-04-18 00:00:00
nvd
nvd
CVE-2023-26048
2023-04-18 21:15:08
ibm
ibm
Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26048)
2023-07-17 03:56:06
Security Bulletin: Vulnerability in jetty-server affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2023-26048]
2023-07-31 10:47:25
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Eclipse Jetty
2023-06-28 22:04:45
githubexploit
githubexploit
Exploit for Allocation of Resources Without Limits or Throttling in Eclipse Jetty
2023-11-01 06:57:10
redhatcve
redhatcve
CVE-2023-26048
2023-08-31 01:30:14
veracode
veracode
Denial Of Service (DOS)
2023-04-20 14:24:08
github
github
OutOfMemoryError for large multipart without filename in Eclipse Jetty
2023-04-19 18:15:45
debiancve
debiancve
CVE-2023-26048
2023-04-18 21:15:08
wolfi
wolfi
CVE-2023-26048 vulnerabilities
2024-07-26 21:09:29
prion
prion
Design/Logic Flaw
2023-04-18 21:15:00
cvelist
cvelist
CVE-2023-26048 OutOfMemoryError for large multipart without filename in Eclipse Jetty
2023-04-18 20:30:20
cgr
cgr
CVE-2023-26048 vulnerabilities
2024-05-19 03:07:16
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2023:2539-1)
2023-06-20 00:00:00
RHEL 9 : log4j (Unpatched Vulnerability)
2024-06-03 00:00:00
Debian DLA-3592-1 : jetty9 - LTS security update
2023-10-01 00:00:00
openvas
openvas
Eclipse Jetty Multiple Vulnerabilities (GHSA-qw69-rqj8-6qw8, GHSA-p26g-97m4-6q7c) - Linux
2023-04-21 00:00:00
Eclipse Jetty Multiple Vulnerabilities (GHSA-qw69-rqj8-6qw8, GHSA-p26g-97m4-6q7c) - Windows
2023-04-21 00:00:00
Debian: Security Advisory (DLA-3592-1)
2023-10-02 00:00:00
redhat
redhat
(RHSA-2024:3385) Moderate: Red Hat JBoss EAP 7.4.14 XP 4.0.2.GA security release
2024-05-28 11:17:57
(RHSA-2023:7641) Important: Red Hat JBoss Enterprise Application Platform 7.4.14 security update
2023-12-04 18:00:34
(RHSA-2023:7637) Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 7 security update
2023-12-04 17:37:49
debian
debian
[SECURITY] [DLA 3592-1] jetty9 security update
2023-09-30 12:35:53
[SECURITY] [DSA 5507-1] jetty9 security update
2023-09-28 22:37:26
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.2

Confidence

High

EPSS

0.002

Percentile

62.1%

JSON
Related for CVE-2023-26048
osv5ubuntucve1nvd1ibm29githubexploit1redhatcve1veracode1github1debiancve1wolfi1prion1cvelist1cgr1nessus11openvas4redhat13debian2oracle2