CVE-2020-27223 vulnerability in Apache and Other Products
Published on February 26, 2021
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Vulnerability Analysis
Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH
Weakness Type
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Products Associated with CVE-2020-27223
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-27223 are published in these products:
Affected Versions
The Eclipse Foundation Eclipse Jetty:- Version 9.4.6.v20170531 and below unspecified is affected.
- Version unspecified, <= 9.4.36.v20210114 is affected.
- Version 10.0.0 is affected.
- Version 11.0.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2020-27223
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.eclipse.jetty:jetty-server | = 11.0.0 | 11.0.1 |
| maven | org.eclipse.jetty:jetty-server | = 10.0.0 | 10.0.1 |
| maven | org.eclipse.jetty:jetty-server | >= 9.4.6, < 9.4.37 | 9.4.37 |
Exploit Probability
EPSS
33.82%
Percentile
96.85%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.