9.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.1%
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of
too large response headers, Jetty throws an exception to produce an HTTP
431 error. When this happens, the ByteBuffer containing the HTTP response
headers is released back to the ByteBufferPool twice. Because of this
double release, two threads can acquire the same ByteBuffer from the pool
and while thread1 is about to use the ByteBuffer to write response1 data,
thread2 fills the ByteBuffer with other data. Thread1 then proceeds to
write the buffer that now contains different data. This results in client1,
which issued request1 seeing data from another request or response which
could contain sensitive data belonging to client2 (HTTP session ids,
authentication credentials, etc.). If the Jetty version cannot be upgraded,
the vulnerability can be significantly reduced by configuring a
responseHeaderSize significantly larger than the requestHeaderSize (12KB
responseHeaderSize and 8KB requestHeaderSize).
9.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.1%