Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-27223

Опубликовано: 26 фев. 2021
Источник: redhat
CVSS3: 5.3
EPSS Средний

Описание

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Отчет

In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Decision Manager 7jettyNot affected
Red Hat Developer Toolsrh-eclipse-jettyAffected
Red Hat Enterprise Linux 6jetty-eclipseOut of support scope
Red Hat Enterprise Linux 7jettyOut of support scope
Red Hat Enterprise Linux 8eclipse:rhel8/jettyWill not fix
Red Hat JBoss A-MQ 6jettyOut of support scope
Red Hat JBoss Fuse 6jettyOut of support scope
Red Hat JBoss Fuse Service Works 6jettyOut of support scope
Red Hat OpenShift Container Platform 4openshift4/ose-metering-hadoopWill not fix
Red Hat OpenShift Container Platform 4openshift4/ose-metering-hiveWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1934116jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS

EPSS

Процентиль: 97%
0.33816
Средний

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-27223

CVSS3: 5.2
ubuntu
почти 5 лет назад

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

nvd логотип

CVE-2020-27223

CVSS3: 5.2
nvd
почти 5 лет назад

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

debian логотип

CVE-2020-27223

CVSS3: 5.2
debian
почти 5 лет назад

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0 ...

suse-cvrf логотип

SUSE-SU-2021:0940-1

suse-cvrf
почти 5 лет назад

Security update for jetty-minimal

github логотип

GHSA-m394-8rww-3jr7

CVSS3: 5.3
github
почти 5 лет назад

DOS vulnerability for Quoted Quality CSV headers

EPSS

Процентиль: 97%
0.33816
Средний

5.3 Medium

CVSS3

Уязвимость CVE-2020-27223