Bug #23608: Several low impact CVE in Jetty 10.0.12 - Rudder - Issue Tracker

Bug #23608

 
 CVE-2023-26048 	 https://nvd.nist.gov/vuln/detail/CVE-2023-26048 
 OutOfMemory error with some craft multi-part POST. The only effect can be a denial of service, which is of low risk for Rudder security profil.  

 CVE-2023-26049 	 https://nvd.nist.gov/vuln/detail/CVE-2023-26049 
 Specialy craft session cookies can lead to displaying information on page.  
 Rudder does not display any cookie anywhere, and even if it was, we are using additional libraries for cookie parsing which are not known to be subjected to that problem. 

 CVE-2023-40167 	 https://nvd.nist.gov/vuln/detail/CVE-2023-40167 
 no known exploit scenario 

 CVE-2023-26049 	 https://nvd.nist.gov/vuln/detail/CVE-2023-26049 
 HTTP/2 related, and Rudder does not user HTTP/2 

 CVE-2023-36479 	 https://nvd.nist.gov/vuln/detail/CVE-2023-36479 
 Target CgiServlet, which we don't use in Rudder 

 CVE-2023-41900 	 https://nvd.nist.gov/vuln/detail/CVE-2023-41900 
 We are not using Jetty OpenID authenticator.  

 All of these issue are resolved in a more recent 10.x version of Jetty and we should update

Back

Project

General

Profile

Rudder

Bug #23608