CVE-2020-27223

2021-02-2622:15:19

Debian Security Bug Tracker

security-tracker.debian.org

eclipse jetty

dos

vulnerability

cpu usage

denial of service

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.025

Percentile

90.2%

JSON

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

OSVersionArchitecturePackageVersionFilename
Debian12alljetty9< 9.4.38-1jetty9_9.4.38-1_all.deb
Debian11alljetty9< 9.4.38-1jetty9_9.4.38-1_all.deb
Debian999alljetty9< 9.4.38-1jetty9_9.4.38-1_all.deb
Debian13alljetty9< 9.4.38-1jetty9_9.4.38-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	jetty9	< 9.4.38-1	jetty9_9.4.38-1_all.deb
Debian	11	all	jetty9	< 9.4.38-1	jetty9_9.4.38-1_all.deb
Debian	999	all	jetty9	< 9.4.38-1	jetty9_9.4.38-1_all.deb
Debian	13	all	jetty9	< 9.4.38-1	jetty9_9.4.38-1_all.deb