CVE-2020-27218 vulnerability in Eclipse and Other Products
Published on November 28, 2020
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
Weakness Type
Sensitive Information in Resource Not Removed Before Reuse
When a device releases a resource such as memory or a file for reuse by other entities, information contained in the resource is not fully cleared prior to reuse of the resource.
Products Associated with CVE-2020-27218
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-27218 are published in these products:
Affected Versions
The Eclipse Foundation Eclipse Jetty:- Version 9.4.0.RC0 to 9.4.34.v20201102 is affected.
- Version 10.0.0.alpha0 to 10.0.0.beta2 is affected.
- Version 11.0.0.alpha0 to 11.0.0.beta2 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2020-27218
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.eclipse.jetty:jetty-server | >= 9.4.0, <= 9.4.34 | 9.4.35.v20201120 |
Exploit Probability
EPSS
0.60%
Percentile
69.01%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.