CVE-2023-41900

Name of the Vulnerable Software and Affected Versions Jetty versions 9.4.21 through 9.4.51 Jetty version 10.0.15 Jetty version 11.0.15

Description The issue is related to weak authentication in Jetty when using the OpenIdAuthenticator with a nested LoginService. If the LoginService revokes an already authenticated user, the current request will still treat the user as authenticated. This allows a request on a previously authenticated session to bypass authentication after it has been rejected by the LoginService. This impacts usages of the jetty-openid that have configured a nested LoginService capable of rejecting previously authenticated users.

Recommendations For Jetty versions 9.4.21 through 9.4.51, upgrade to version 9.4.52 or later. For Jetty version 10.0.15, upgrade to version 10.0.16 or later. For Jetty version 11.0.15, upgrade to version 11.0.16 or later. As a temporary workaround, consider disabling the OpenIdAuthenticator until a patch is available. Restrict access to the vulnerable LoginService to minimize the risk of exploitation. Avoid using the LoginService in the affected API endpoint until the issue is resolved.