Project

General

Profile

Actions

Bug #23608

closed

Several low impact CVE in Jetty 10.0.12

Added by François ARMAND about 1 year ago. Updated 8 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

CVE-2023-26048 https://nvd.nist.gov/vuln/detail/CVE-2023-26048
OutOfMemory error with some craft multi-part POST. The only effect can be a denial of service, which is of low risk for Rudder security profil.

CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
Specialy craft session cookies can lead to displaying information on page.
Rudder does not display any cookie anywhere, and even if it was, we are using additional libraries for cookie parsing which are not known to be subjected to that problem.

CVE-2023-40167 https://nvd.nist.gov/vuln/detail/CVE-2023-40167
no known exploit scenario

CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
HTTP/2 related, and Rudder does not user HTTP/2

CVE-2023-36479 https://nvd.nist.gov/vuln/detail/CVE-2023-36479
Target CgiServlet, which we don't use in Rudder

CVE-2023-41900 https://nvd.nist.gov/vuln/detail/CVE-2023-41900
We are not using Jetty OpenID authenticator.

All of these issue are resolved in a more recent 10.x version of Jetty and we should update


Subtasks 3 (0 open3 closed)

Bug #23622: Some jetty patches don't apply to 10.0.17ReleasedAlexis MoussetActions
Bug #23637: Failed upmerge in parentReleasedVincent MEMBRÉActions
Bug #23641: parent ticket break rudder-jettyRejectedAlexis MoussetActions

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #23609: Assessments of several low impact CVE in current 7.3.x reported by contrastsecurity tool ReleasedVincent MEMBRÉActions
Related to Rudder - Bug #23648: Revert jetty upgrade to 10.0.17 for nowReleasedVincent MEMBRÉActions
Actions

Also available in: Atom PDF