CVE-2023-36479: Jetty vulnerable to errant command quoting in CGI Servlet
First published: Thu Sep 14 2023(Updated: )
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.eclipse.jetty.ee8:jetty-ee8-servlets | <=12.0.0-beta1 | 12.0.0-beta2 |
| maven/org.eclipse.jetty.ee9:jetty-ee9-servlets | <=12.0.0-beta1 | 12.0.0-beta2 |
| maven/org.eclipse.jetty.ee10:jetty-ee10-servlets | <=12.0.0-beta1 | 12.0.0-beta2 |
| maven/org.eclipse.jetty:jetty-servlets | >=11.0.0<=11.0.15 | 11.0.16 |
| maven/org.eclipse.jetty:jetty-servlets | >=10.0.0<=10.0.15 | 10.0.16 |
| maven/org.eclipse.jetty:jetty-servlets | >=9.0.0<=9.4.51 | 9.4.52 |
| Eclipse Jetty | >=9.0.0<9.4.52 | |
| Eclipse Jetty | >=10.0.0<10.0.16 | |
| Eclipse Jetty | >=11.0.0<11.0.16 | |
| Eclipse Jetty | =12.0.0-alpha1 | |
| Eclipse Jetty | =12.0.0-alpha2 | |
| Eclipse Jetty | =12.0.0-alpha3 | |
| Eclipse Jetty | =12.0.0-beta0 | |
| Eclipse Jetty | =12.0.0-beta1 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| debian/jetty9 | <=9.4.16-0+deb10u1 | 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 |
| redhat/jetty | <12.0.0 | 12.0.0 |
| redhat/jetty | <9.4.52 | 9.4.52 |
| redhat/jetty | <10.0.16 | 10.0.16 |
| redhat/jetty | <11.0.16 | 11.0.16 |
| IBM IBM® Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data | <=v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
- https://github.com/eclipse/jetty.project/pull/9516
- https://github.com/eclipse/jetty.project/pull/9888
- https://github.com/eclipse/jetty.project/pull/9889
- https://nvd.nist.gov/vuln/detail/CVE-2023-36479
- https://www.debian.org/security/2023/dsa-5507
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- https://github.com/advisories/GHSA-3gh6-v5v9-6v9j (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2023-36479
- https://exchange.xforce.ibmcloud.com/vulnerabilities/266435
- https://www.ibm.com/support/pages/node/7155078 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2239842
- https://access.redhat.com/errata/RHSA-2023:7247
- https://access.redhat.com/errata/RHSA-2024:0797
- https://access.redhat.com/errata/RHSA-2024:2010
- https://access.redhat.com/errata/RHSA-2024:3354
- https://access.redhat.com/errata/RHSA-2024:3919
- https://access.redhat.com/errata/RHSA-2024:3989
- https://bugzilla.redhat.com/show_bug.cgi?id=2239630
Frequently Asked Questions
What is CVE-2023-36479?
CVE-2023-36479 is a vulnerability in Eclipse Jetty that allows remote attackers to execute arbitrary commands via a specially crafted request.
What is the severity of CVE-2023-36479?
The severity of CVE-2023-36479 is medium, with a CVSS score of 4.3.
Which versions of Eclipse Jetty are affected by CVE-2023-36479?
Eclipse Jetty versions 9.0.0 to 9.4.51, 10.0.0 to 10.0.15, and 11.0.0 to 11.0.15 are affected by CVE-2023-36479.
How can I fix CVE-2023-36479?
To fix CVE-2023-36479, upgrade to Jetty version 9.4.52, 10.0.16, or 11.0.16.
Where can I find more information about CVE-2023-36479?
You can find more information about CVE-2023-36479 in the following references: [Link 1](https://github.com/eclipse/jetty.project/pull/9516), [Link 2](https://github.com/eclipse/jetty.project/pull/9888), [Link 3](https://github.com/eclipse/jetty.project/pull/9889).
- collector/github-advisory-latest
- alias/GHSA-3gh6-v5v9-6v9j
- alias/CVE-2023-36479
- collector/github-advisory
- collector/nvd-api
- collector/nvd-index
- collector/nvd-cve
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/maven
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.0.0
- version/eclipse jetty/10.0.0
- version/eclipse jetty/11.0.0
- version/eclipse jetty/12.0.0-alpha1
- version/eclipse jetty/12.0.0-alpha2
- version/eclipse jetty/12.0.0-alpha3
- version/eclipse jetty/12.0.0-beta0
- version/eclipse jetty/12.0.0-beta1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- package-manager/debian
- vendor/ibm
- canonical/ibm ibm® db2® on cloud pak for data and db2 warehouse on cloud pak for data
- version/ibm ibm® db2® on cloud pak for data and db2 warehouse on cloud pak for data/v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4
- package-manager/redhat