CVE-2020-27223

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.4.6.v20170531 through 9.4.36.v20210114 Eclipse Jetty version 10.0.0 Eclipse Jetty version 11.0.0

Description The issue is related to the handling of requests containing multiple Accept headers with a large number of quality parameters, which can cause the server to enter a denial of service state due to high CPU usage. This can result in minutes of CPU time being exhausted. The features within Jetty that can trigger this behavior include default error handling, StatisticsServlet, HttpServletRequest.getLocale(), HttpServletRequest.getLocales(), and DefaultServlet.

Recommendations For Eclipse Jetty versions 9.4.6.v20170531 through 9.4.36.v20210114, update to version 9.4.37.v20210219 or greater. For Eclipse Jetty version 10.0.0, update to version 10.0.1 or greater. For Eclipse Jetty version 11.0.0, update to version 11.0.1 or greater. As a temporary workaround, consider avoiding the use of quality ordered values by not using the default error page/handler, not deploying the StatisticsServlet exposed to the network, not calling the getLocale API, and not enabling precompressed static content in the DefaultServlet.