CVE-2023-36479

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions prior to 9.4.52 Eclipse Jetty versions prior to 10.0.16 Eclipse Jetty versions prior to 11.0.16 Eclipse Jetty versions prior to 12.0.0-beta2

Description The issue is related to the formation of a command line that contains multiple tokens instead of one, which can allow a remote attacker to execute arbitrary code. This occurs when a user sends a request to the org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name. The servlet will escape the command by wrapping it in quotation marks, and if the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file" name "here, the escaping algorithm will generate the command line string "file" name "here", which will invoke the binary named file, not the one that the user requested.

Recommendations For Eclipse Jetty versions prior to 9.4.52, update to version 9.4.52 or later. For Eclipse Jetty versions prior to 10.0.16, update to version 10.0.16 or later. For Eclipse Jetty versions prior to 11.0.16, update to version 11.0.16 or later. For Eclipse Jetty versions prior to 12.0.0-beta2, update to version 12.0.0-beta2 or later. As a temporary workaround, consider not using the org.eclipse.jetty.servlets.CGI Servlet, and instead use Fast CGI support.