CVE-2023-26048 (Medium) detected in jetty-server-11.0.12.jar - autoclosed #2533
Assignees
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Milestone
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
|
Wiremock is used in testing only. The latest version when I checked (3.0.0-beta-7) still uses |
mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
github-project-automation
bot
moved this from Untriaged
to Done
in Data Prepper Tracking Board
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
github-project-automation
bot
moved this from Done
to In progress
in Data Prepper Tracking Board
github-project-automation
bot
moved this from In progress
to To do
in Data Prepper Tracking Board
|
This was fixed in 2.5.0, but reintroduced in the main branch when #3313 was merged. |
mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
github-project-automation
bot
moved this from To do
to Done
in Data Prepper Tracking Board
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-26048 - Medium Severity Vulnerability
The core jetty server artifact.
Library home page: https://eclipse.org/jetty
Path to dependency file: /data-prepper-plugins/s3-source/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/11.0.12/29c82ff7e059ee1e454af6d391834abadf24e60/jetty-server-11.0.12.jar
Dependency Hierarchy:
Found in HEAD commit: ebd3e757c341c1d9c1352431bbad7bf5db2ea939
Found in base branch: main
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with
@MultipartConfig) that callHttpServletRequest.getParameter()orHttpServletRequest.getParts()may causeOutOfMemoryErrorwhen the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings offileSizeThreshold=0which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throwOutOfMemoryError. However, the server may be able to recover after theOutOfMemoryErrorand continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parametermaxRequestSizewhich must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).Publish Date: 2023-04-18
URL: CVE-2023-26048
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-qw69-rqj8-6qw8
Release Date: 2023-04-18
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14;org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14
The text was updated successfully, but these errors were encountered: