Lucene search

K
cve[email protected]CVE-2023-41900
HistorySep 15, 2023 - 9:15 p.m.

CVE-2023-41900

2023-09-1521:15:11
CWE-1390
CWE-287
web.nvd.nist.gov
167
jetty
web server
authentication
vulnerability
cve-2023-41900
nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.8%

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the LoginService. This impacts usages of the jetty-openid which have configured a nested LoginService and where that LoginService will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

Affected configurations

Vulners
NVD
Node
eclipseeclipse_ideRange9.4.21–9.4.51
OR
eclipseeclipse_ideRange10.0.0–10.0.15
OR
eclipseeclipse_ideRange11.0.0–11.0.15
VendorProductVersionCPE
eclipseeclipse_ide*cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*
eclipseeclipse_ide*cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*
eclipseeclipse_ide*cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "eclipse",
    "product": "jetty.project",
    "versions": [
      {
        "version": ">= 9.4.21, <= 9.4.51",
        "status": "affected"
      },
      {
        "version": ">= 10.0.0, <= 10.0.15",
        "status": "affected"
      },
      {
        "version": ">= 11.0.0, <= 11.0.15",
        "status": "affected"
      }
    ]
  }
]

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.8%