Jetty
CVE-2020-27218
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionNVD
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
AnalysisAI
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.
Technical ContextAI
This vulnerability is classified under CWE-226. In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. Affected products include: Eclipse Jetty, Netapp Oncommand System Manager, Netapp Snap Creator Framework, Oracle Blockchain Platform, Oracle Communications Converged Application Server - Service Controller. Version information: version 9.4.0..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive informat
Eclipse Jetty provides a web server and servlet container. Rated high severity (CVSS 7.5), this vulnerability is remotel
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffer
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon re
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote atta
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . Rated medium severity (CVSS
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characte
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doub
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contai
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persisten
Jetty is a Java based web server and servlet engine. Rated medium severity (CVSS 4.3), this vulnerability is remotely ex
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today