First published: Fri Sep 15 2023(Updated: )
Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by improper authentication validation when using the optional nested LoginService. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Eclipse Jetty | >=9.4.21<9.4.52 | |
Eclipse Jetty | >=10.0.0<10.0.16 | |
Eclipse Jetty | >=11.0.0<11.0.16 | |
Debian Debian Linux | =11.0 | |
Debian Debian Linux | =12.0 | |
debian/jetty9 | 9.4.16-0+deb10u1 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 | |
redhat/jetty | <9.4.52 | 9.4.52 |
redhat/jetty | <10.0.16 | 10.0.16 |
redhat/jetty | <11.0.16 | 11.0.16 |
maven/org.eclipse.jetty:jetty-openid | >=9.4.21<=9.4.51 | 9.4.52.v20230823 |
maven/org.eclipse.jetty:jetty-openid | >=11.0.0<=11.0.15 | 11.0.16 |
maven/org.eclipse.jetty:jetty-openid | >=10.0.0<=10.0.15 | 10.0.16 |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-41900 is a vulnerability in Jetty, a Java-based web server and servlet engine, which allows an authenticated user to have their authentication cleared from the session.
CVE-2023-41900 has a severity rating of 4.3, which is considered medium.
Jetty versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.0 through 11.0.15 are affected by CVE-2023-41900.
To fix CVE-2023-41900, you should update Jetty to version 9.4.52, 10.0.16, or 11.0.16, depending on your current version.
Yes, you can find references for CVE-2023-41900 at the following links: [URL1], [URL2], [URL3].