Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-26049

LOW
Published 2023-04-18T20:35:36.506Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-26049. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
2.4
/10
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.003
probability
of exploitation in the wild

There is a 0.3% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.545
Higher than 54.5% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED

Impact Metrics

Confidentiality
LOW
Integrity
NONE
Availability
NONE

Description

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

eclipse

jetty.project

Affected Versions:

< 9.4.51 >= 10.0.0, < 10.0.14 >= 11.0.0, < 11.0.14 >= 12.0.0.alpha0, < 12.0.0.beta0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies

GHSA-p26g-97m4-6q7c

Advisory Details

Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265

Affected Packages

Maven org.eclipse.jetty:jetty-server
ECOSYSTEM: ≥0 <9.4.51.v20230217
Maven org.eclipse.jetty:jetty-server
ECOSYSTEM: ≥10.0.0 <10.0.14
Maven org.eclipse.jetty:jetty-server
ECOSYSTEM: ≥11.0.0 <11.0.14
Maven org.eclipse.jetty:jetty-server
ECOSYSTEM: ≥12.0.0alpha0 <12.0.0.beta0

CVSS Scoring

CVSS Score

2.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

References

WEB https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-26049
WEB https://github.com/eclipse/jetty.project/pull/9339
WEB https://github.com/eclipse/jetty.project/pull/9352
PACKAGE https://github.com/eclipse/jetty.project
WEB https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
WEB https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
WEB https://security.netapp.com/advisory/ntap-20230526-0001
WEB https://www.debian.org/security/2023/dsa-5507
WEB https://www.rfc-editor.org/rfc/rfc2965
WEB https://www.rfc-editor.org/rfc/rfc6265

Advisory provided by GitHub Security Advisory Database. Published: April 18, 2023, Modified: April 18, 2023

References

https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
https://github.com/eclipse/jetty.project/pull/9339
https://github.com/eclipse/jetty.project/pull/9352
https://www.rfc-editor.org/rfc/rfc2965
https://www.rfc-editor.org/rfc/rfc6265
https://security.netapp.com/advisory/ntap-20230526-0001/
https://www.debian.org/security/2023/dsa-5507
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
Published: 2023-04-18T20:35:36.506Z
Last Modified: 2025-02-13T16:44:44.710Z
Copied to clipboard!