ghsa-p26g-97m4-6q7c
Vulnerability from github
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.
If Jetty sees a cookie VALUE that starts with "
(double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.
So, a cookie header such as:
DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"
will be parsed as one cookie, with the name DISPLAY_LANGUAGE
and a value of b; JSESSIONID=1337; c=d
instead of 3 separate cookies.
Impact
This has security implications because if, say, JSESSIONID
is an HttpOnly
cookie, and the DISPLAY_LANGUAGE
cookie value is rendered on the page, an attacker can smuggle the JSESSIONID
cookie into the DISPLAY_LANGUAGE
cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.
Patches
- 9.4.51.v20230217 - via PR #9352
- 10.0.15 - via PR #9339
- 11.0.15 - via PR #9339
Workarounds
No workarounds
References
- https://www.rfc-editor.org/rfc/rfc2965
- https://www.rfc-editor.org/rfc/rfc6265
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-server" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "9.4.51.v20230217" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-server" }, "ranges": [ { "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.14" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-server" }, "ranges": [ { "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.14" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-server" }, "ranges": [ { "events": [ { "introduced": "12.0.0alpha0" }, { "fixed": "12.0.0.beta0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-26049" ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2023-04-18T22:19:57Z", "nvd_published_at": "2023-04-18T21:15:09Z", "severity": "LOW" }, "details": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.\n\nIf Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.\n\nSo, a cookie header such as:\n\n`DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d`\n\ninstead of 3 separate cookies.\n\n### Impact\nThis has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.\n\n### Patches\n* 9.4.51.v20230217 - via PR #9352\n* 10.0.15 - via PR #9339\n* 11.0.15 - via PR #9339\n\n### Workarounds\nNo workarounds\n\n### References\n* https://www.rfc-editor.org/rfc/rfc2965\n* https://www.rfc-editor.org/rfc/rfc6265\n", "id": "GHSA-p26g-97m4-6q7c", "modified": "2023-04-18T22:19:57Z", "published": "2023-04-18T22:19:57Z", "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/pull/9339" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/pull/9352" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230526-0001" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5507" }, { "type": "WEB", "url": "https://www.rfc-editor.org/rfc/rfc2965" }, { "type": "WEB", "url": "https://www.rfc-editor.org/rfc/rfc6265" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Eclipse Jetty\u0027s cookie parsing of quoted values can exfiltrate values from other cookies" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.