Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:40263
HistoryApr 24, 2023 - 4:51 a.m.

Information Disclosure

2023-04-2404:51:24
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
56
jetty-server
information disclosure
faulty cookie parsing
exfiltrate values
cookie header

EPSS

0.001

Percentile

40.9%

jetty-server is vulnerable to Information Disclosure. The vulnerability exists because the cookie parsing of quoted values can exfiltrate values from other cookies because the cookie VALUE that starts with " (double quote) will continue to read the cookie string until it sees a closing quote even if a semicolon is encountered in the library, which allows an attacker to smuggle cookies within other cookies or perform unintended behavior by tampering with the cookie parsing mechanism through the cookie header. For example, the cookie DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will result in the cookie name as DISPLAY_LANGUAGE with the value b; JSESSIONID=1337; c=d, instead of parsing of three separate cookies