CVE-2023-26048
First published: Tue Apr 18 2023(Updated: )
### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.eclipse.jetty:jetty-server | <9.4.51.v20230217 | 9.4.51.v20230217 |
| maven/org.eclipse.jetty:jetty-server | >=11.0.0<11.0.14 | 11.0.14 |
| maven/org.eclipse.jetty:jetty-server | >=10.0.0<10.0.14 | 10.0.14 |
| Eclipse Jetty | <9.4.51 | |
| Eclipse Jetty | >=10.0.0<10.0.14 | |
| Eclipse Jetty | >=11.0.0<11.0.14 | |
| IBM QRadar SIEM | <=7.5.0 - 7.5.0 UP6 | |
| redhat/jetty-server | <9.4.51 | 9.4.51 |
| redhat/jetty-server | <10.0.14 | 10.0.14 |
| redhat/jetty-server | <11.0.14 | 11.0.14 |
| debian/jetty9 | <=9.4.16-0+deb10u1 | 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
- https://nvd.nist.gov/vuln/detail/CVE-2023-26048
- https://github.com/eclipse/jetty.project/issues/9076
- https://github.com/eclipse/jetty.project/pull/9344
- https://github.com/eclipse/jetty.project/pull/9345
- https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
- https://security.netapp.com/advisory/ntap-20230526-0001/
- https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
- https://www.debian.org/security/2023/dsa-5507
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- https://github.com/advisories/GHSA-qw69-rqj8-6qw8 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/253356
- https://www.ibm.com/support/pages/node/7049133 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2023-26048
- https://access.redhat.com/errata/RHSA-2023:5165
- https://access.redhat.com/errata/RHSA-2023:5441
- https://access.redhat.com/errata/RHSA-2023:7639
- https://access.redhat.com/errata/RHSA-2023:7637
- https://access.redhat.com/errata/RHSA-2023:7638
- https://access.redhat.com/errata/RHSA-2023:7641
- https://access.redhat.com/errata/RHSA-2024:0778
- https://access.redhat.com/errata/RHSA-2024:0799
- https://access.redhat.com/errata/RHSA-2024:0800
- https://access.redhat.com/errata/RHSA-2024:0798
- https://access.redhat.com/errata/RHSA-2024:0801
- https://access.redhat.com/errata/RHSA-2024:0804
- https://bugzilla.redhat.com/show_bug.cgi?id=2236340
Frequently Asked Questions
What is CVE-2023-26048?
CVE-2023-26048 is a vulnerability in Eclipse Jetty that allows for a denial of service attack caused by an out of memory flaw in the HttpServlet.
What is the impact of CVE-2023-26048?
The impact of CVE-2023-26048 is that servlets with multipart support may cause an OutOfMemoryError when a client sends a multipart request with a part that has a name but no filename and a very large content.
What is the severity of CVE-2023-26048?
The severity of CVE-2023-26048 is medium with a CVSS score of 5.3.
How do I fix CVE-2023-26048?
To fix CVE-2023-26048, you need to update your Eclipse Jetty to version 11.0.14, 10.0.14, or 9.4.51.
Where can I find more information about CVE-2023-26048?
You can find more information about CVE-2023-26048 on the GitHub advisory page and the NIST vulnerability database.
- collector/github-advisory-latest
- alias/GHSA-qw69-rqj8-6qw8
- alias/CVE-2023-26048
- collector/nvd-api
- collector/github-advisory
- collector/nvd-index
- collector/ibm-support
- collector/nvd-cve
- collector/security-tracker-debian
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/references
- agent/remedy
- agent/author
- agent/tags
- agent/event
- agent/last-modified-date
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- package-manager/maven
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/10.0.0
- version/eclipse jetty/11.0.0
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5.0 - 7.5.0 up6
- package-manager/debian
- package-manager/redhat