org.eclipse.jetty: jetty-server is vulnerable to Denial of Service. The vulnerability exists due to a lack of multipart file upload sanitization that affects HttpServletRequest.getParameter()
or HttpServletRequest.getParts()
methods annotated with @MultipartConfig
, which allows an attacker to submit a multipart request with parts lacking a filename and a very large content size. This can throw an OutOfMemoryError
, resulting in a Denial of Service.
github.com/advisories/GHSA-qw69-rqj8-6qw8
github.com/eclipse/jetty.project/commit/1042cdb8a54e86c14e593ce6f69072a88bcac393
github.com/eclipse/jetty.project/commit/1bb928bbf0e42b5dca4b89b01b78cb437ce52f7f
github.com/eclipse/jetty.project/commit/3259a55ce39354dc4686a7d345b7cb49a5c79158
github.com/eclipse/jetty.project/issues/9076
github.com/eclipse/jetty.project/pull/9344
github.com/eclipse/jetty.project/pull/9345
github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
lists.debian.org/debian-lts-announce/2023/09/msg00039.html
security.netapp.com/advisory/ntap-20230526-0001/
www.debian.org/security/2023/dsa-5507