Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-27218

Опубликовано: 28 нояб. 2020
Источник: nvd
CVSS3: 4.8
CVSS2: 5.8
EPSS Низкий

Описание

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Версия от 9.4.0 (включая) до 9.4.35 (исключая)
cpe:2.3:a:eclipse:jetty:10.0.0:alpha0:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:10.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:10.0.0:beta0:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:10.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:11.0.0:alpha0:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:11.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
Версия от 3.0 (включая) до 3.1.3 (включая)
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
Версия до 21.1.2 (исключая)
cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
Версия от 8.0.0 (включая) до 8.2.4 (включая)
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*
Версия до 20.4.3.050.1904 (исключая)
cpe:2.3:a:oracle:retail_eftlink:20.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:*
Версия до 21.5 (включая)
Конфигурация 4

Одно из

cpe:2.3:a:apache:kafka:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:spark:2.4.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:spark:3.0.3:*:*:*:*:*:*:*
Конфигурация 5
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 69%
0.00599
Низкий

4.8 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-226
NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2020-27218

CVSS3: 4.8
ubuntu
около 5 лет назад

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

redhat логотип

CVE-2020-27218

CVSS3: 4.8
redhat
около 5 лет назад

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

debian логотип

CVE-2020-27218

CVSS3: 4.8
debian
около 5 лет назад

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 ...

suse-cvrf логотип

openSUSE-SU-2021:0012-1

suse-cvrf
около 5 лет назад

Security update for jetty-minimal

suse-cvrf логотип

SUSE-SU-2020:3922-1

suse-cvrf
около 5 лет назад

Security update for jetty-minimal

EPSS

Процентиль: 69%
0.00599
Низкий

4.8 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-226
NVD-CWE-noinfo