QID 730040

Date Published: 2021-04-27

QID 730040: Eclipse Jetty Denial of Service Vulnerability (Bug 571128)

Eclipse Jetty is a Java HTTP server and Java Servlet container. While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values

Versions Affected:
Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114
Eclipse Jetty 10.0.0
Eclipse Jetty 11.0.0
QID Detection Logic:(Unauthenticated)
It looks at http banner to check for vulnerable version of Jetty.

The server may enter a denial of service (DoS) state due to high CPU usage processing.

CVSS V3 rated as Medium - 5.3 severity.

CVSS V2 rated as Medium - 4.3 severity.

Solution

Customers are advised to refer to Bug 571128 for more information.

Vendor References

571128 - bugs.eclipse.org/bugs/show_bug.cgi?id=571128

CVEs related to QID 730040

CVE-2020-27223 |

Software Advisories

Advisory ID	Software	Component	Link
571128			bugs.eclipse.org/bugs/show_bug.cgi?id=571128

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].