GitHub Advisory DatabaseGHSA-P26G-97M4-6Q7CEclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies
0.001 Low
EPSS
Percentile
40.3%
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.
If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote โ even if a semicolon is encountered.
So, a cookie header such as:
DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d
instead of 3 separate cookies.
Impact
This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.
Patches
- 9.4.51.v20230217 - via PR #9352
- 10.0.15 - via PR #9339
- 11.0.15 - via PR #9339
Workarounds
No workarounds
References
References
github.com/advisories/GHSA-p26g-97m4-6q7c
github.com/eclipse/jetty.project/pull/9339
github.com/eclipse/jetty.project/pull/9352
github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
lists.debian.org/debian-lts-announce/2023/09/msg00039.html
nvd.nist.gov/vuln/detail/CVE-2023-26049
security.netapp.com/advisory/ntap-20230526-0001/
www.debian.org/security/2023/dsa-5507
www.rfc-editor.org/rfc/rfc2965
www.rfc-editor.org/rfc/rfc6265
Related
