Jetty CGI Servlet Command Injection via Runtime.exec (Pre-9.4.52/10.0.16/11.0.16)
CVE-2023-36479 Published on September 15, 2023
Jetty vulnerable to errant command quoting in CGI Servlet
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Vulnerability Analysis
CVE-2023-36479 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Improper Neutralization of Quoting Syntax
Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
Products Associated with CVE-2023-36479
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-36479 are published in these products:
Affected Versions
eclipse jetty.project:- Version >= 9.0.0, <= 9.4.51 is affected.
- Version >= 10.0.0, <= 10.0.15 is affected.
- Version >= 11.0.0, <= 11.0.15 is affected.
- Version <= 12.0.0-beta1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2023-36479
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.eclipse.jetty.ee8:jetty-ee8-servlets | <= 12.0.0-beta1 | 12.0.0-beta2 |
| maven | org.eclipse.jetty:jetty-servlets | >= 9.0.0, <= 9.4.51 | 9.4.52 |
| maven | org.eclipse.jetty:jetty-servlets | >= 10.0.0, <= 10.0.15 | 10.0.16 |
| maven | org.eclipse.jetty:jetty-servlets | >= 11.0.0, <= 11.0.15 | 11.0.16 |
| maven | org.eclipse.jetty.ee10:jetty-ee10-servlets | <= 12.0.0-beta1 | 12.0.0-beta2 |
| maven | org.eclipse.jetty.ee9:jetty-ee9-servlets | <= 12.0.0-beta1 | 12.0.0-beta2 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.