Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-36479

Опубликовано: 15 сент. 2023
Источник: nvd
CVSS3: 3.5
CVSS3: 3.1
EPSS Низкий

Описание

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Версия от 9.0.0 (включая) до 9.4.52 (исключая)
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Версия от 10.0.0 (включая) до 10.0.16 (исключая)
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Версия от 11.0.0 (включая) до 11.0.16 (исключая)
cpe:2.3:a:eclipse:jetty:12.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta0:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta1:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

EPSS

Процентиль: 74%
0.00862
Низкий

3.5 Low

CVSS3

3.1 Low

CVSS3

Дефекты

CWE-149
NVD-CWE-Other

Связанные уязвимости

ubuntu логотип

CVE-2023-36479

CVSS3: 3.5
ubuntu
почти 2 года назад

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

redhat логотип

CVE-2023-36479

CVSS3: 3.5
redhat
почти 2 года назад

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

debian логотип

CVE-2023-36479

CVSS3: 3.5
debian
почти 2 года назад

Eclipse Jetty Canonical Repository is the canonical repository for the ...

github логотип

GHSA-3gh6-v5v9-6v9j

CVSS3: 3.5
github
почти 2 года назад

Jetty vulnerable to errant command quoting in CGI Servlet

fstec логотип

BDU:2024-05833

CVSS3: 4.3
fstec
почти 2 года назад

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с неправильной нейтрализацией синтаксиса цитирования, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 74%
0.00862
Низкий

3.5 Low

CVSS3

3.1 Low

CVSS3

Дефекты

CWE-149
NVD-CWE-Other