CVE-2023-41900

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

History

21 Jan 2024, 01:51

Type Values Removed Values Added
CWE CWE-1390 CWE-287
References () https://security.netapp.com/advisory/ntap-20231110-0004/ - () https://security.netapp.com/advisory/ntap-20231110-0004/ - Third Party Advisory

10 Nov 2023, 18:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20231110-0004/ -

16 Oct 2023, 19:20

Type Values Removed Values Added
References (MISC) https://www.debian.org/security/2023/dsa-5507 - (MISC) https://www.debian.org/security/2023/dsa-5507 - Third Party Advisory
First Time Debian debian Linux
Debian
CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

29 Sep 2023, 12:15

Type Values Removed Values Added
References
  • (MISC) https://www.debian.org/security/2023/dsa-5507 -

20 Sep 2023, 15:20

Type Values Removed Values Added
References (MISC) https://github.com/eclipse/jetty.project/pull/9660 - (MISC) https://github.com/eclipse/jetty.project/pull/9660 - Patch
References (MISC) https://github.com/eclipse/jetty.project/pull/9528 - (MISC) https://github.com/eclipse/jetty.project/pull/9528 - Patch
References (MISC) https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48 - (MISC) https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48 - Exploit, Patch, Vendor Advisory
CPE cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
First Time Eclipse
Eclipse jetty
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3

17 Sep 2023, 12:01

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-15 21:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-41900

Mitre link : CVE-2023-41900

CVE.ORG link : CVE-2023-41900


JSON object : View

Products Affected

debian

  • debian_linux

eclipse

  • jetty
CWE
CWE-287

Improper Authentication

CWE-1390

Weak Authentication