Bug #23608
Updated by François ARMAND about 1 year ago
CVE-2023-26048 https://nvd.nist.gov/vuln/detail/CVE-2023-26048
OutOfMemory error with some craft multi-part POST. The only effect can be a denial of service, which is of low risk for Rudder security profil.
CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
Specialy craft session cookies can lead to displaying information on page.
Rudder does not display any cookie anywhere, and even if it was, we are using additional libraries for cookie parsing which are not known to be subjected to that problem.
CVE-2023-40167 https://nvd.nist.gov/vuln/detail/CVE-2023-40167
no known exploit scenario
CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
HTTP/2 related, and Rudder does not user HTTP/2
CVE-2023-36479 https://nvd.nist.gov/vuln/detail/CVE-2023-36479
Target CgiServlet, which we don't use in Rudder
CVE-2023-41900 https://nvd.nist.gov/vuln/detail/CVE-2023-41900
We are not using Jetty OpenID authenticator.
All of these issue are resolved in a more recent 10.x version of Jetty and we should update