PT-2023-5109 · Eclipse+4 · Eclipse Jetty+4

Publicado

2023-04-18

·

Atualizado

2026-05-18

·

CVE-2023-26048

CVSS v2.0

10

Alta

VetorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions prior to 9.4.51 Eclipse Jetty versions prior to 10.0.14 Eclipse Jetty versions prior to 11.0.14
Description The vulnerability is related to the HttpServletRequest.getParameter() and HttpServletRequest.getParts() functions in the Eclipse Jetty servlet container, which can cause an OutOfMemoryError when a client sends a multipart request with a part that has a name but no filename and very large content. This issue can be exploited by an attacker to cause a denial of service. The server may be able to recover after the OutOfMemoryError and continue its service, although it may take some time.
Recommendations For versions prior to 9.4.51, upgrade to version 9.4.51 or later. For versions prior to 10.0.14, upgrade to version 10.0.14 or later. For versions prior to 11.0.14, upgrade to version 11.0.14 or later. As a temporary workaround, consider setting the multipart parameter maxRequestSize to a non-negative value to limit the whole multipart content, although it will still be read into memory.

Exploit

Correção

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400CWE-770

Identificadores relacionados

ALSA-2025_16880
ALT-PU-2024-16002
ALT-PU-2024-16022
ALT-PU-2024-16072
BDU:2023-05675
CLEANSTART-2026-SQ91016
CLEANSTART-2026-WK99982
CVE-2023-26048
DLA-3592-1
DSA-5507-1
GHSA-QW69-RQJ8-6QW8
OESA-2024-2268
OESA-2024-2297
OESA-2024-2298
OESA-2024-2299
OESA-2024-2300
OPENSUSE-SU-2024:12949-1
RHSA-2023:7637
RHSA-2023:7638
RHSA-2023:7639
RHSA-2024:0778
RHSA-2024:0798
RHSA-2024:0799
RHSA-2024:0800
SUSE-SU-2023:2539-1
SUSE-SU-2023_2539-1

Produtos afetados

Alt Linux
Astra Linux
Eclipse Jetty
Red Os
Suse