#VU75218 Resource exhaustion in Jetty - CVE-2023-26048


| Updated: 2023-11-28

Vulnerability identifier: #VU75218

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-26048

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jetty
Server applications / Web servers

Vendor: Eclipse

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing multipart requests in request.getParameter(). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jetty: 9.0.0.v20130308 - 9.4.50.v20221201, 10.0.0 - 11.0.13

External links
https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Control Center
Multiple vulnerabilities in IBM DataStage on Cloud Pak for Data
Multiple vulnerabilities in IBM Cognos Analytics
openEuler 22.03 LTS SP1 update for jetty
openEuler 24.03 LTS update for jetty
openEuler 22.03 LTS SP4 update for jetty
openEuler 22.03 LTS SP3 update for jetty
openEuler 20.03 LTS SP4 update for jetty
IBM watsonx.data update for FasterXML jackson-databind
Multiple vulnerabilities in IBM Engineering Systems Design Rhapsody