high
7.5
CWE
400 407
Advisory Published
CVE Published
Updated

CVE-2020-27223

First published: Fri Feb 26 2021(Updated: )

Eclipse Jetty is vulnerable to a denial of service, caused by an error when handling a request containing multiple Accept headers with a large number of quality parameters. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to exhaust minutes of CPU time.

Credit: emo@eclipse.org

Affected SoftwareAffected VersionHow to fix
redhat/jenkins<0:2.289.1.1624365627-1.el7
0:2.289.1.1624365627-1.el7
redhat/jenkins<0:2.277.3.1623846768-1.el7
0:2.277.3.1623846768-1.el7
redhat/jenkins<0:2.277.3.1623853726-1.el8
0:2.277.3.1623853726-1.el8
debian/jetty9
9.4.16-0+deb10u1
9.4.50-4+deb10u1
9.4.39-3+deb11u2
9.4.50-4+deb11u1
9.4.50-4+deb12u2
9.4.53-1
redhat/jetty-9.4.37.v20210219 jetty-10.0.1 jetty<11.0.1
11.0.1
Eclipse Jetty>=9.4.7<9.4.36
Eclipse Jetty=9.4.6-20170531
Eclipse Jetty=9.4.6-20180619
Eclipse Jetty=9.4.36
Eclipse Jetty=9.4.36-20210114
Eclipse Jetty=10.0.0
Eclipse Jetty=11.0.0
Apache NiFi=1.13.0
Apache Spark=3.1.1
NetApp E-Series SANtricity OS Controller>=11.0.0<=11.70.1
Netapp E-series Santricity Web Services Web Services Proxy
Netapp Element Plug-in For Vcenter Server
Netapp Hci
Netapp Hci Management Node
Netapp Management Services For Element Software
NetApp Snap Creator Framework
Netapp Snapcenter
Netapp Snapmanager Oracle
Netapp Snapmanager Sap
Netapp Solidfire
Debian Debian Linux=10.0
Apache Solr=8.8.1
Oracle REST Data Services<20.4.3.050.1904

Remedy

https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211@%3Cissues.solr.apache.org%3E

Remedy

https://www.oracle.com/security-alerts/cpuApr2021.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2020-27223?

    CVE-2020-27223 is a vulnerability in Eclipse Jetty that can cause denial of service (DoS) due to high CPU usage.

  • Which versions of Eclipse Jetty are affected by CVE-2020-27223?

    Eclipse Jetty versions 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 are affected.

  • What is the severity of CVE-2020-27223?

    CVE-2020-27223 has a severity score of 5.3, which is classified as medium.

  • How can I fix CVE-2020-27223?

    To fix CVE-2020-27223, update Eclipse Jetty to version 9.4.37.v20210219 or 10.0.1, or upgrade to version 11.0.1.

  • Where can I find more information about CVE-2020-27223?

    More information about CVE-2020-27223 can be found at the following references: [link1](https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128), [link2](https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1934117).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203