<p>Upgrade <code>org.eclipse.jetty:jetty-servlets</code> to version 9.4.52, 10.0.16, 11.0.16 or higher.</p>

Arbitrary Code Execution Affecting org.eclipse.jetty:jetty-servlets package, versions [9.0.0, 9.4.52) [10.0.0, 10.0.16) [11.0.0, 11.0.16)

Snyk CVSS

Attack Complexity High

Scope Changed

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.06% (22^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGECLIPSEJETTY-5903003
published 15 Sep 2023
disclosed 14 Sep 2023
credit Kelly Kaoudis, Joakim Erdfelt

Report a new vulnerability Found a mistake?

Introduced: 14 Sep 2023

CVE-2023-36479 Open this link in a new tab CWE-149 Open this link in a new tab

How to fix?

Upgrade org.eclipse.jetty:jetty-servlets to version 9.4.52, 10.0.16, 11.0.16 or higher.

Overview

org.eclipse.jetty:jetty-servlets is an Utility Servlets from Jetty

Affected versions of this package are vulnerable to Arbitrary Code Execution. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks.

Impact:

This behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured.

Note:

In Jetty 9.x, 10.x, and 11.x the org.eclipse.jetty.servlets.CGI has been deprecated.

In Jetty 12 (all environments) the org.eclipse.jetty.servlets.CGI has been entirely removed.

PoC

if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" "))
execCmd = "\"" + execCmd + "\"";