The Eclipse Jetty project is announcing 2 Security Vulnerabilities for The Eclipse Jetty Server project.
While these were fixed in the Jetty versions 11.0.14, 10.0.14, and 9.4.51, we encourage folks that are upgrading to use 11.0.15, 10.0.15, and 9.4.51 instead. CVE-2023-26049 : Cookie parsing of quoted values can exfiltrate values from other cookies Severity (Low) 3.7 / 10 https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c Affected Jetty versions: <=9.4.50, <=10.013, <=11.0.13, <=12.0.0.alpha3 Patched Jetty versions: 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 Reported by: @arxenix CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CWE-1286 : Improper Validation of Syntactic Correctness of Input CVE-2023-26048 : OutOfMemoryError for large multipart without filename read via request.getParameter() Severity (Moderate) 5.3 / 10 https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8 Affected Jetty versions: <=9.4.50, <=10.0.13, <=11.0.13 Patched Jetty versions: 9.4.51, 10.0.14, 11.0.14 Reported by: @lachlan-roberts CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CWE-404 : Improper Resource Shutdown or Release CWE-770 : Allocation of Resources Without Limits or Throttling Joakim Erdfelt / [email protected]
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
