Sbordet

**Name of the Vulnerable Software and Affected Versions** Eclipse Jetty versions prior to 9.4.52 Eclipse Jetty versions prior to 10.0.16 Eclipse Jetty versions prior to 11.0.16 Eclipse Jetty versions prior to 12.0.0-beta2 **Description** The issue is related to the formation of a command line that contains multiple tokens instead of one, which can allow a remote attacker to execute arbitrary code. This occurs when a user sends a request to the `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name. The servlet will escape the command by wrapping it in quotation marks, and if the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called `file" name "here`, the escaping algorithm will generate the command line string `"file" name "here"`, which will invoke the binary named `file`, not the one that the user requested. **Recommendations** For Eclipse Jetty versions prior to 9.4.52, update to version 9.4.52 or later. For Eclipse Jetty versions prior to 10.0.16, update to version 10.0.16 or later. For Eclipse Jetty versions prior to 11.0.16, update to version 11.0.16 or later. For Eclipse Jetty versions prior to 12.0.0-beta2, update to version 12.0.0-beta2 or later. As a temporary workaround, consider not using the `org.eclipse.jetty.servlets.CGI` Servlet, and instead use Fast CGI support.