First published: Tue Apr 18 2023(Updated: )
### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.eclipse.jetty:jetty-server | <9.4.51.v20230217 | 9.4.51.v20230217 |
maven/org.eclipse.jetty:jetty-server | >=11.0.0<11.0.14 | 11.0.14 |
maven/org.eclipse.jetty:jetty-server | >=10.0.0<10.0.14 | 10.0.14 |
Eclipse Jetty | <9.4.51 | |
Eclipse Jetty | >=10.0.0<10.0.14 | |
Eclipse Jetty | >=11.0.0<11.0.14 | |
debian/jetty9 | <=9.4.16-0+deb10u1 | 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 |
redhat/jetty-server | <9.4.51 | 9.4.51 |
redhat/jetty-server | <10.0.14 | 10.0.14 |
redhat/jetty-server | <11.0.14 | 11.0.14 |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-26048 is a vulnerability in Eclipse Jetty that allows for a denial of service attack caused by an out of memory flaw in the HttpServlet.
The impact of CVE-2023-26048 is that servlets with multipart support may cause an OutOfMemoryError when a client sends a multipart request with a part that has a name but no filename and a very large content.
The severity of CVE-2023-26048 is medium with a CVSS score of 5.3.
To fix CVE-2023-26048, you need to update your Eclipse Jetty to version 11.0.14, 10.0.14, or 9.4.51.
You can find more information about CVE-2023-26048 on the GitHub advisory page and the NIST vulnerability database.