CVE-2023-36479

CVSS v3.1 4.3 (Medium)

EPSS 0.07 % (30^th)

Affected Products 2

Advisories 4

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Weaknesses

CWE-149: Improper Neutralization of Quoting Syntax

CVE Status: PUBLISHED
CNA: GitHub, Inc.
Published Date: 2023-09-15 19:15:08
(12 months ago)
Updated Date: 2023-10-16 19:20:18
(11 months ago)

Affected Products

Debian

Debian Linux

Eclipse

Jetty

Configuration #1

	CPE23	From	Up To
Eclipse Jetty from 9.0.0 version and prior 9.4.52 version	cpe:2.3:a:eclipse:jetty	>= 9.0.0	< 9.4.52
Eclipse Jetty from 10.0.0 version and prior 10.0.16 version	cpe:2.3:a:eclipse:jetty	>= 10.0.0	< 10.0.16
Eclipse Jetty from 11.0.0 version and prior 11.0.16 version	cpe:2.3:a:eclipse:jetty	>= 11.0.0	< 11.0.16
Eclipse Jetty 12.0.0 Alpha1	cpe:2.3:a:eclipse:jetty:12.0.0:alpha1
Eclipse Jetty 12.0.0 Alpha2	cpe:2.3:a:eclipse:jetty:12.0.0:alpha2
Eclipse Jetty 12.0.0 Alpha3	cpe:2.3:a:eclipse:jetty:12.0.0:alpha3
Eclipse Jetty 12.0.0 Beta0	cpe:2.3:a:eclipse:jetty:12.0.0:beta0
Eclipse Jetty 12.0.0 Beta1	cpe:2.3:a:eclipse:jetty:12.0.0:beta1

Configuration #2

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0
	Debian Linux 12.0	cpe:2.3:o:debian:debian_linux:12.0