CVE-2023-26049

Summary

CVE	CVE-2023-26049
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-04-18 21:15:00 UTC
Updated	2024-02-01 15:36:00 UTC
Description	Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Risk And Classification

Problem Types: CWE-200

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Debian	Debian Linux	12.0	All	All	All
Application	Eclipse	Jetty	All	All	All	All
Application	Eclipse	Jetty	12.0.0	alpha1	All	All
Application	Eclipse	Jetty	12.0.0	alpha2	All	All
Application	Eclipse	Jetty	12.0.0	alpha3	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	E-series Santricity Os Controller	All	All	All	All
Application	Netapp	E-series Santricity Unified Manager	-	All	All	All
Application	Netapp	E-series Santricity Web Services	-	All	All	All

References

Reference	Source	Link	Tags
Fix/jetty 9.4.x cookie cutter legacy by gregw · Pull Request #9352 · eclipse/jetty.project · GitHub	MISC	github.com
April 2023 Eclipse Jetty Vulnerabilities in NetApp Products \| NetApp Product Security	MISC	security.netapp.com
RFC 2965: HTTP State Management Mechanism	MISC	www.rfc-editor.org
RFC 6265: HTTP State Management Mechanism	MISC	www.rfc-editor.org
Cookie parsing of quoted values can exfiltrate values from other cookies · Advisory · eclipse/jetty.project · GitHub	MISC	github.com
[SECURITY] [DLA 3592-1] jetty9 security update	MISC	lists.debian.org
Review Cookie Cutter by sbordet · Pull Request #9339 · eclipse/jetty.project · GitHub	MISC	github.com
Debian -- Security Information -- DSA-5507-1 jetty9	MISC	www.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

242565 Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 7 (RHSA-2023:7637)
242923 Red Hat Update for Satellite 6.14.2 (RHSA-2024:0797)
378675 Oracle Coherence July 2023 Critical Patch Update (CPUJUL2023)
6000122 Debian Security Update for jetty9 (DLA 3592-1)
6000216 Debian Security Update for jetty9 (DSA 5507-1)
754107 SUSE Enterprise Linux Security Update for jetty-minimal (SUSE-SU-2023:2539-1)