Описание
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request
body. This can result in corrupted and/or inadvertent sharing of data between requests.
A flaw was found in Eclipse Jetty. This vulnerability allows corrupted and inadvertent data sharing between requests via a gzip error when inflating a request body. If the request body is malformed, the gzip decompression process can fail, resulting in the application inadvertently using data from a previous request when processing the current one.
Отчет
This vulnerability is rated as an IMPORTANT severity because a buffer management vulnerability exists within the GzipHandler's buffer release mechanism when encountering gzip errors during request body inflation, this flaw can lead to the incorrect release and subsequent inadvertent sharing and corruption of request body data between concurrent uncompressed requests, results in data exposure and incorrect processing of requests due to corrupted input.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | jetty-server | Affected | ||
| OpenShift Developer Tools and Services | jenkins | Not affected | ||
| Red Hat AMQ Broker 7 | jetty-server | Not affected | ||
| Red Hat build of Apache Camel - HawtIO 4 | jetty-server | Not affected | ||
| Red Hat build of Apicurio Registry 2 | jetty-server | Not affected | ||
| Red Hat build of Apicurio Registry 3 | jetty-server | Not affected | ||
| Red Hat build of Debezium 2 | jetty-server | Will not fix | ||
| Red Hat build of Debezium 3 | jetty-server | Will not fix | ||
| Red Hat Data Grid 8 | jetty-server | Affected | ||
| Red Hat Enterprise Linux 7 | maven-wagon | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.2 High
CVSS3
Связанные уязвимости
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly ...
**UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request
Уязвимость контейнера сервлетов Eclipse Jetty, связанная с некорректной зачисткой или освобождением ресурсов, позволяющая нарушителю обойти внедренные ограничения безопасности
EPSS
7.2 High
CVSS3