Damien Diederen created ZOOKEEPER-4233:
------------------------------------------
Summary: dependency-check:check failing - Jetty 9.4.35.v20201120 -
CVE-2020-27223
Key: ZOOKEEPER-4233
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4233
Project: ZooKeeper
Issue Type: Task
Reporter: Damien Diederen
Assignee: Damien Diederen
What do you know—I encountered a Jetty vulnerability while trying to prepare a
new 3.7.0 RC:
{noformat}
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check
(default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have
a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] jetty-server-9.4.35.v20201120.jar: CVE-2020-27223
[ERROR] jetty-http-9.4.35.v20201120.jar: CVE-2020-27223
{noformat}
[CVE-2020-27223|https://nvd.nist.gov/vuln/detail/CVE-2020-27223] describes it
as:
{quote}
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and
11.0.0 when Jetty handles a request containing multiple Accept headers with a
large number of “quality” (i.e. q) parameters, the server may enter a denial of
service (DoS) state due to high CPU usage processing those quality values,
resulting in minutes of CPU time exhausted processing those quality values.
{quote}
This may not be the end of the world wrt. ZooKeeper, but it doesn't look good
in a fresh release.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
