| Title | Jetty における脆弱性 |
|---|---|
| Summary | Jetty には、不特定の脆弱性が存在します。 |
| Possible impacts | 情報を取得される可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | Feb. 15, 2023, midnight |
| Registration Date | Oct. 4, 2023, 4:54 p.m. |
| Last Update | Oct. 4, 2023, 4:54 p.m. |
| CVSS3.0 : 警告 | |
| Score | 5.3 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 日立 |
| Hitachi Ops Center Analyzer (海外販売のみ) |
| Eclipse Foundation |
| Jetty 10.0.14 未満 |
| Jetty 11.0.14 未満 |
| Jetty 12.0.0.beta0 未満 |
| Jetty 9.4.51 未満 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2023年10月04日] 掲載 |
Oct. 4, 2023, 4:47 p.m. |
| Summary | Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue. |
|---|---|
| Publication Date | April 19, 2023, 6:15 a.m. |
| Registration Date | April 19, 2023, 10 a.m. |
| Last Update | Nov. 21, 2024, 4:50 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* | 11.0.0 | 11.0.14 | |||
| cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* | 10.0.0 | 10.0.14 | |||
| cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* | 9.4.51 | ||||
| cpe:2.3:a:eclipse:jetty:12.0.0:alpha2:*:*:*:*:*:* | |||||
| cpe:2.3:a:eclipse:jetty:12.0.0:alpha3:*:*:*:*:*:* | |||||
| cpe:2.3:a:eclipse:jetty:12.0.0:alpha1:*:*:*:*:*:* | |||||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:* | |||||
| Configuration3 | or higher | or less | more than | less than | |
| cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* | |||||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* | |||||
| cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* | 11.0 | ||||