CVE-2023-36479 Detail
Description
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Severity
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-149 | Improper Neutralization of Quoting Syntax | GitHub, Inc. |
Change History
1 change records found show changes
Initial Analysis by NIST 9/20/2023 11:59:11 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | Record truncated, showing 500 of 593 characters. View Entire Change Record OR
*cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* versions from (including) 9.0.0 up to (excluding) 9.4.52
*cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.0.16
*cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (excluding) 11.0.16
*cpe:2.3:a:eclipse:jetty:12.0.0:alpha1:*:*:*:*:*:*
*cpe:2.3:a:eclipse:jetty:12.0.0:alpha2:*:*:*:*:*:*
*cpe:2.3:a:eclipse:jetty:12.0.0:alpha3:*:*:*:*:*:*
*cpe:2.3:a:
|
|
| Added | CVSS V3.1 |
NIST AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| Changed | Reference Type |
https://github.com/eclipse/jetty.project/pull/9516 No Types Assigned |
https://github.com/eclipse/jetty.project/pull/9516 Patch |
| Changed | Reference Type |
https://github.com/eclipse/jetty.project/pull/9888 No Types Assigned |
https://github.com/eclipse/jetty.project/pull/9888 Patch |
| Changed | Reference Type |
https://github.com/eclipse/jetty.project/pull/9889 No Types Assigned |
https://github.com/eclipse/jetty.project/pull/9889 Patch |
| Changed | Reference Type |
https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j No Types Assigned |
https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j Exploit, Patch, Vendor Advisory |
Quick Info
CVE Dictionary Entry:
CVE-2023-36479
NVD Published Date:
09/15/2023
NVD Last Modified:
09/20/2023
Source:
GitHub, Inc.