Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-36479 (Medium) detected in jetty-servlets-9.4.36.v20210114.jar - autoclosed #147

Closed
mend-for-github-com bot opened this issue Nov 6, 2023 · 1 comment
Closed

CVE-2023-36479 (Medium) detected in jetty-servlets-9.4.36.v20210114.jar - autoclosed #147

mend-for-github-com bot opened this issue Nov 6, 2023 · 1 comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link

CVE-2023-36479 - Medium Severity Vulnerability

Vulnerable Library - jetty-servlets-9.4.36.v20210114.jar

Utility Servlets from Jetty

Library home page: https://eclipse.org/jetty

Path to dependency file: /webgoat-lessons/xxe/pom.xml

Path to vulnerable library: /webgoat-lessons/xxe/pom.xml

Dependency Hierarchy:

  • wiremock-2.27.2.jar (Root Library)
    • jetty-servlets-9.4.36.v20210114.jar (Vulnerable Library)

Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240

Found in base branch: develop

Vulnerability Details

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Publish Date: 2023-09-15

URL: CVE-2023-36479

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3gh6-v5v9-6v9j

Release Date: 2023-09-15

Fix Resolution: org.eclipse.jetty:jetty-servlets:9.4.52.v20230823,10.0.16,11.0.16
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Nov 6, 2023
@mend-for-github-com mend-for-github-com bot changed the title CVE-2023-36479 (Medium) detected in jetty-servlets-9.4.36.v20210114.jar CVE-2023-36479 (Medium) detected in jetty-servlets-9.4.36.v20210114.jar - autoclosed Nov 6, 2023
@mend-for-github-com Mend for GitHub.com
Copy link
Author

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #152

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants