Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-QW69-RQJ8-6QW8
HistoryApr 19, 2023 - 6:15 p.m.

OutOfMemoryError for large multipart without filename in Eclipse Jetty

2023-04-1918:15:45
CWE-400
CWE-770
GitHub Advisory Database
github.com
17
servlets
multipart
outofmemoryerror
httpservletrequest
jetty
security issue

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.003

Percentile

68.8%

JSON

Impact

Servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and a very large content.

This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk.

An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError.
However, the server may be able to recover after the OutOfMemoryError and continue its service โ€“ although it may take some time.

A very large number of parts may cause the same problem.

Patches

Patched in Jetty versions

  • 9.4.51.v20230217 - via PR #9345
  • 10.0.14 - via PR #9344
  • 11.0.14 - via PR #9344

Workarounds

Multipart parameter maxRequestSize must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
Limiting multipart parameter maxFileSize wonโ€™t be enough because an attacker can send a large number of parts that summed up will cause memory issues.

References

Affected configurations

Vulners
Node
org.eclipse.jettyjetty-serverRange<9.4.51.v20230217
OR
org.eclipse.jettyjetty-serverRange11.0.0โ€“11.0.14
OR
org.eclipse.jettyjetty-serverRange10.0.0โ€“10.0.14
VendorProductVersionCPE
org.eclipse.jettyjetty-server*cpe:2.3:a:org.eclipse.jetty:jetty-server:*:*:*:*:*:*:*:*

Related

ubuntucve 1
osv 5
cve 1
veracode 1
redhatcve 1
githubexploit 1
ibm 31
nvd 1
debiancve 1
wolfi 1
prion 1
cgr 1
cvelist 1
nessus 11
openvas 4
redos 1
redhat 13
debian 2
oracle 2
ubuntucve
ubuntucve
CVE-2023-26048
2023-04-18 00:00:00
osv
osv
CVE-2023-26048
2023-04-18 21:15:08
OutOfMemoryError for large multipart without filename in Eclipse Jetty
2023-04-19 18:15:45
CGA-q672-cgj3-7q4g
2024-06-06 12:28:58
cve
cve
CVE-2023-26048
2023-04-18 21:15:08
veracode
veracode
Denial Of Service (DOS)
2023-04-20 14:24:08
redhatcve
redhatcve
CVE-2023-26048
2023-08-31 01:30:14
githubexploit
githubexploit
Exploit for Allocation of Resources Without Limits or Throttling in Eclipse Jetty
2023-11-01 06:57:10
ibm
ibm
Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26048)
2023-07-17 03:56:06
Security Bulletin: Vulnerability in jetty-server affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2023-26048]
2023-07-31 10:47:25
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Eclipse Jetty
2023-06-28 22:04:45
nvd
nvd
CVE-2023-26048
2023-04-18 21:15:08
debiancve
debiancve
CVE-2023-26048
2023-04-18 21:15:08
wolfi
wolfi
CVE-2023-26048 vulnerabilities
2024-10-01 09:27:37
prion
prion
Design/Logic Flaw
2023-04-18 21:15:00
cgr
cgr
CVE-2023-26048 vulnerabilities
2024-05-19 03:07:16
cvelist
cvelist
CVE-2023-26048 OutOfMemoryError for large multipart without filename in Eclipse Jetty
2023-04-18 20:30:20
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2023:2539-1)
2023-06-20 00:00:00
RHEL 9 : log4j (Unpatched Vulnerability)
2024-06-03 00:00:00
Debian DLA-3592-1 : jetty9 - LTS security update
2023-10-01 00:00:00
openvas
openvas
Eclipse Jetty Multiple Vulnerabilities (GHSA-qw69-rqj8-6qw8, GHSA-p26g-97m4-6q7c) - Linux
2023-04-21 00:00:00
Eclipse Jetty Multiple Vulnerabilities (GHSA-qw69-rqj8-6qw8, GHSA-p26g-97m4-6q7c) - Windows
2023-04-21 00:00:00
Debian: Security Advisory (DLA-3592-1)
2023-10-02 00:00:00
redos
redos
ROS-20240729-10
2024-07-29 00:00:00
redhat
redhat
(RHSA-2024:3385) Moderate: Red Hat JBoss EAP 7.4.14 XP 4.0.2.GA security release
2024-05-28 11:17:57
(RHSA-2023:7641) Important: Red Hat JBoss Enterprise Application Platform 7.4.14 security update
2023-12-04 18:00:34
(RHSA-2023:7637) Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 7 security update
2023-12-04 17:37:49
debian
debian
[SECURITY] [DLA 3592-1] jetty9 security update
2023-09-30 12:35:53
[SECURITY] [DSA 5507-1] jetty9 security update
2023-09-28 22:37:26
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.003

Percentile

68.8%

JSON
Related for GHSA-QW69-RQJ8-6QW8
ubuntucve1osv5cve1veracode1redhatcve1githubexploit1ibm31nvd1debiancve1wolfi1prion1cgr1cvelist1nessus11openvas4redos1redhat13debian2oracle2