CVE-2023-36478

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

History

21 Jun 2024, 19:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240621-0006/ -

16 Feb 2024, 18:40

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
First Time Debian
Debian debian Linux
References () https://security.netapp.com/advisory/ntap-20231116-0011/ - () https://security.netapp.com/advisory/ntap-20231116-0011/ - Third Party Advisory
References (MISC) https://www.debian.org/security/2023/dsa-5540 - (MISC) https://www.debian.org/security/2023/dsa-5540 - Third Party Advisory
References (MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html - (MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html - Mailing List

16 Nov 2023, 16:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20231116-0011/ -

31 Oct 2023, 07:15

Type Values Removed Values Added
References
  • (MISC) https://www.debian.org/security/2023/dsa-5540 -

30 Oct 2023, 22:15

Type Values Removed Values Added
CWE CWE-400
References
  • (MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html -

27 Oct 2023, 19:12

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Jenkins jenkins
Eclipse
Jenkins
Eclipse jetty
CWE CWE-190
References (MISC) https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r - (MISC) https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r - Exploit, Vendor Advisory
References (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16 - (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16 - Release Notes
References (MISC) http://www.openwall.com/lists/oss-security/2023/10/18/4 - (MISC) http://www.openwall.com/lists/oss-security/2023/10/18/4 - Mailing List, Third Party Advisory
References (MISC) https://github.com/eclipse/jetty.project/pull/9634 - (MISC) https://github.com/eclipse/jetty.project/pull/9634 - Issue Tracking, Patch
References (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16 - (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16 - Release Notes
References (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 - (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 - Release Notes
CPE cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

18 Oct 2023, 21:15

Type Values Removed Values Added
CWE CWE-190
CWE-400
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/10/18/4 -

10 Oct 2023, 17:52

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-10 17:15

Updated : 2024-06-21 19:15


NVD link : CVE-2023-36478

Mitre link : CVE-2023-36478

CVE.ORG link : CVE-2023-36478


JSON object : View

Products Affected

jenkins

  • jenkins

debian

  • debian_linux

eclipse

  • jetty
CWE
CWE-190

Integer Overflow or Wraparound

CWE-400

Uncontrolled Resource Consumption