5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
45.4%
jetty-server is vulnerable to Information Disclosure. The vulnerability exists because the cookie parsing of quoted values can exfiltrate values from other cookies because the cookie VALUE that starts with "
(double quote) will continue to read the cookie string until it sees a closing quote even if a semicolon is encountered in the library, which allows an attacker to smuggle cookies within other cookies or perform unintended behavior by tampering with the cookie parsing mechanism through the cookie header. For example, the cookie DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"
will result in the cookie name as DISPLAY_LANGUAGE
with the value b; JSESSIONID=1337; c=d
, instead of parsing of three separate cookies
github.com/eclipse/jetty.project/commit/1be1401bafb4c46fae3c234c8e93743a661dcf21
github.com/eclipse/jetty.project/commit/7b8c2c1bf081c7f408e5da3371c8c3c9802f09fd
github.com/eclipse/jetty.project/pull/9339
github.com/eclipse/jetty.project/pull/9352
github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
lists.debian.org/debian-lts-announce/2023/09/msg00039.html
security.netapp.com/advisory/ntap-20230526-0001/
www.debian.org/security/2023/dsa-5507
www.rfc-editor.org/rfc/rfc2965
www.rfc-editor.org/rfc/rfc6265
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
45.4%