Jetty is a java based web server and servlet engine. Nonstandard cookie
parsing in Jetty may allow an attacker to smuggle cookies within other
cookies, or otherwise perform unintended behavior by tampering with the
cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with "
(double quote), it will continue to read the cookie string until it sees a
closing quote โ even if a semicolon is encountered. So, a cookie header
such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"
will be parsed as one
cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337;
c=d instead of 3 separate cookies. This has security implications because
if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie
value is rendered on the page, an attacker can smuggle the JSESSIONID
cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is
significant when an intermediary is enacting some policy based on cookies,
so a smuggled cookie can bypass that policy yet still be seen by the Jetty
server or its logging system. This issue has been addressed in versions
9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to
upgrade. There are no known workarounds for this issue.
github.com/eclipse/jetty.project/pull/9339
github.com/eclipse/jetty.project/pull/9352
github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
launchpad.net/bugs/cve/CVE-2023-26049
nvd.nist.gov/vuln/detail/CVE-2023-26049
security-tracker.debian.org/tracker/CVE-2023-26049
www.cve.org/CVERecord?id=CVE-2023-26049
www.rfc-editor.org/rfc/rfc2965
www.rfc-editor.org/rfc/rfc6265