Update dependency org.eclipse.jetty:jetty-server to v9.4.57.v20241219 [SECURITY]#30
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
Conversation
renovate
bot
force-pushed
the
renovate/maven-org.eclipse.jetty-jetty-server-vulnerability
branch
from
496d08a to
ad98018
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/maven-org.eclipse.jetty-jetty-server-vulnerability
branch
from
ad98018 to
db17248
Compare
renovate
bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.4.41.v20210516→9.4.57.v20241219GitHub Vulnerability Alerts
CVE-2023-26048
Impact
Servlets with multipart support (e.g. annotated with
@MultipartConfig) that callHttpServletRequest.getParameter()orHttpServletRequest.getParts()may causeOutOfMemoryErrorwhen the client sends a multipart request with a part that has a name but no filename and a very large content.This happens even with the default settings of
fileSizeThreshold=0which should stream the whole part content to disk.An attacker client may send a large multipart request and cause the server to throw
OutOfMemoryError.However, the server may be able to recover after the
OutOfMemoryErrorand continue its service -- although it may take some time.A very large number of parts may cause the same problem.
Patches
Patched in Jetty versions
Workarounds
Multipart parameter
maxRequestSizemust be set to a non-negative value, so the whole multipart content is limited (although still read into memory).Limiting multipart parameter
maxFileSizewon't be enough because an attacker can send a large number of parts that summed up will cause memory issues.References
CVE-2023-26049
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.
If Jetty sees a cookie VALUE that starts with
"(double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.So, a cookie header such as:
DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"will be parsed as one cookie, with the nameDISPLAY_LANGUAGEand a value ofb; JSESSIONID=1337; c=dinstead of 3 separate cookies.
Impact
This has security implications because if, say,
JSESSIONIDis anHttpOnlycookie, and theDISPLAY_LANGUAGEcookie value is rendered on the page, an attacker can smuggle theJSESSIONIDcookie into theDISPLAY_LANGUAGEcookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.Patches
Workarounds
No workarounds
References
CVE-2024-8184
Impact
Remote DOS attack can cause out of memory
Description
There exists a security vulnerability in Jetty's
ThreadLimitHandler.getRemote()whichcan be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By
repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
server's memory.
Affected Versions
Patched Versions
Workarounds
Do not use
ThreadLimitHandler.Consider use of
QoSHandlerinstead to artificially limit resource utilization.References
Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
CVE-2024-13009
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.