Bug #23608
closedSeveral low impact CVE in Jetty 10.0.12
Description
CVE-2023-26048 https://nvd.nist.gov/vuln/detail/CVE-2023-26048
OutOfMemory error with some craft multi-part POST. The only effect can be a denial of service, which is of low risk for Rudder security profil.
CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
Specialy craft session cookies can lead to displaying information on page.
Rudder does not display any cookie anywhere, and even if it was, we are using additional libraries for cookie parsing which are not known to be subjected to that problem.
CVE-2023-40167 https://nvd.nist.gov/vuln/detail/CVE-2023-40167
no known exploit scenario
CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
HTTP/2 related, and Rudder does not user HTTP/2
CVE-2023-36479 https://nvd.nist.gov/vuln/detail/CVE-2023-36479
Target CgiServlet, which we don't use in Rudder
CVE-2023-41900 https://nvd.nist.gov/vuln/detail/CVE-2023-41900
We are not using Jetty OpenID authenticator.
All of these issue are resolved in a more recent 10.x version of Jetty and we should update
Updated by François ARMAND about 1 year ago
- Related to Bug #23609: Assessments of several low impact CVE in current 7.3.x reported by contrastsecurity tool added
Updated by François ARMAND about 1 year ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND about 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-packages/pull/2824
Updated by Anonymous about 1 year ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|fb202e9dc1eb9c86c64e97764b6aa123b719b8bf.
Updated by Alexis Mousset about 1 year ago
- Related to Bug #23648: Revert jetty upgrade to 10.0.17 for now added
Updated by Alexis Mousset about 1 year ago
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ about 1 year ago
This bug has been fixed in Rudder 7.3.8 and 8.0.1 which were released today.
Updated by Vincent MEMBRÉ 9 months ago
- Status changed from Pending release to Released