CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
46.0%
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.
If Jetty sees a cookie VALUE that starts with "
(double quote), it will continue to read the cookie string until it sees a closing quote – even if a semicolon is encountered.
So, a cookie header such as:
DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"
will be parsed as one cookie, with the name DISPLAY_LANGUAGE
and a value of b; JSESSIONID=1337; c=d
instead of 3 separate cookies.
This has security implications because if, say, JSESSIONID
is an HttpOnly
cookie, and the DISPLAY_LANGUAGE
cookie value is rendered on the page, an attacker can smuggle the JSESSIONID
cookie into the DISPLAY_LANGUAGE
cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.
No workarounds
github.com/eclipse/jetty.project
github.com/eclipse/jetty.project/pull/9339
github.com/eclipse/jetty.project/pull/9352
github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
lists.debian.org/debian-lts-announce/2023/09/msg00039.html
nvd.nist.gov/vuln/detail/CVE-2023-26049
security.netapp.com/advisory/ntap-20230526-0001
www.debian.org/security/2023/dsa-5507
www.rfc-editor.org/rfc/rfc2965
www.rfc-editor.org/rfc/rfc6265