CVE-2023-26048

NameCVE-2023-26048
DescriptionJetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3592-1, DSA-5507-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jetty (PTS)jessie, jessie (lts)6.1.26-4+deb8u2vulnerable
jetty8 (PTS)jessie, jessie (lts)8.1.16-4+deb8u1vulnerable
jetty9 (PTS)stretch (security), stretch (lts), stretch9.2.30-0+deb9u2vulnerable
buster (security), buster, buster (lts)9.4.50-4+deb10u2fixed
bullseye (security), bullseye9.4.50-4+deb11u2fixed
bookworm (security), bookworm9.4.50-4+deb12u3fixed
sid, trixie9.4.56-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jettysourcejessie(unfixed)end-of-life
jetty8source(unstable)(unfixed)
jetty9sourceexperimental9.4.51-1
jetty9sourcebuster9.4.16-0+deb10u3DLA-3592-1
jetty9sourcebullseye9.4.39-3+deb11u2DSA-5507-1
jetty9sourcebookworm9.4.50-4+deb12u1DSA-5507-1
jetty9source(unstable)9.4.52-1

Notes

https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
https://github.com/eclipse/jetty.project/issues/9076
https://github.com/eclipse/jetty.project/pull/9344
https://github.com/eclipse/jetty.project/pull/9345
[jessie] - jetty8 <postponed> (Minor issue)
[stretch] - jetty9 <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems