CVE - CVE-2023-26049

CVE-ID
CVE-2023-26049	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20230526-0001/ DEBIAN:DSA-5507 URL:https://www.debian.org/security/2023/dsa-5507 MISC:https://github.com/eclipse/jetty.project/pull/9339 URL:https://github.com/eclipse/jetty.project/pull/9339 MISC:https://github.com/eclipse/jetty.project/pull/9352 URL:https://github.com/eclipse/jetty.project/pull/9352 MISC:https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c URL:https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c MISC:https://www.rfc-editor.org/rfc/rfc2965 URL:https://www.rfc-editor.org/rfc/rfc2965 MISC:https://www.rfc-editor.org/rfc/rfc6265 URL:https://www.rfc-editor.org/rfc/rfc6265 MLIST:[debian-lts-announce] 20230930 [SECURITY] [DLA 3592-1] jetty9 security update URL:https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20230217	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20230217)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)