CVE-2023-41900

Published on: Not Yet Published

Last Modified on: 09/20/2023 03:20:00 PM UTC

CVE-2023-41900 - advisory for GHSA-pwh8-58vv-vw48

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Certain versions of Jetty from Eclipse contain the following vulnerability:

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

CVE-2023-41900 has been assigned by security-adviso[email protected] to track the vulnerability - currently rated as MEDIUM severity.
Affected Vendor/Software: eclipse - jetty.project version = >= 9.4.21, <= 9.4.51
Affected Vendor/Software: eclipse - jetty.project version = >= 10.0.0, <= 10.0.15
Affected Vendor/Software: eclipse - jetty.project version = >= 11.0.0, <= 11.0.15

CVSS3 Score: 4.3 - MEDIUM

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	LOW	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	LOW	NONE	NONE

CVE References

Description	Tags ^ⓘ	Link
OpenId Revoked authentication allows one request · Advisory · eclipse/jetty.project · GitHub	github.com text/html	MISC github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
Bring back some openid improvements from 10.0.x to 9.4.x by lachlan-roberts · Pull Request #9660 · eclipse/jetty.project · GitHub	github.com text/html	MISC github.com/eclipse/jetty.project/pull/9660
Issue #9464 - Add optional configuration to log user out after OpenID idToken expires. (Jetty-10) by lachlan-roberts · Pull Request #9528 · eclipse/jetty.project · GitHub	github.com text/html	MISC github.com/eclipse/jetty.project/pull/9528

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Eclipse	Jetty	All	All	All	All

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE