Bug 2239630 (CVE-2023-36479) - CVE-2023-36479 jetty: Improper addition of quotation marks to user inputs in CgiServlet
Summary: CVE-2023-36479 jetty: Improper addition of quotation marks to user inputs in ...
Status: NEW
Alias: CVE-2023-36479
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2239842 2240279
Blocks: 2239846
TreeView+ depends on / blocked
Reported: 2023-09-19 13:37 UTC by Pedro Sampaio
Modified: 2023-11-15 17:07 UTC (History)
67 users (show)

Fixed In Version: jetty 12.0.0beta, jetty 9.4.52, jetty 10.0.16, jetty 11.0.16
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jetty's CGI servlet which permits incorrect command execution in specific circumstances such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands other than the one requested.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7247 0 None None None 2023-11-15 17:07:56 UTC

Description Pedro Sampaio 2023-09-19 13:37:49 UTC
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.



Comment 1 Pedro Sampaio 2023-09-20 13:49:17 UTC
Created jetty tracking bugs for this issue:

Affects: fedora-all [bug 2239842]

Comment 11 errata-xmlrpc 2023-11-15 17:07:52 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.12.1

Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247

Note You need to log in before you can comment on or make changes to this bug.