CVE-2019-17638

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-17638

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17638.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-17638

Aliases

GHSA-x3rh-m7vp-35f2

Related

Published

2020-07-09T18:15:10Z

Modified

2024-09-18T03:04:51.825239Z

Severity

9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

[none]

Details

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).

References

Affected packages

Debian:11 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.31-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.31-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.31-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/eclipse/jetty.project

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/jetty.project
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

77c232aed8a45c818fd27232278d9f95a021095e

Last affected

a304fd9f351f337e7c0e2a7c28878dd536149c6c

Last affected

ab228fde9e55e9164c738d7fa121f8ac5acd51c9

Affected versions

Other

PRE-MERGE-20120719-1138

jetty-7.*

jetty-7.4.4.v20110707

jetty-7.5.0.RC0

jetty-7.5.0.RC1

jetty-7.5.0.RC2

jetty-7.5.0.v20110901

jetty-7.5.1.v20110907

jetty-7.5.1.v20110908

jetty-7.5.2.v20111006

jetty-7.5.3.v20111011

jetty-7.5.4.v20111024

jetty-7.6.0.RC0

jetty-7.6.0.RC1

jetty-7.6.0.RC2

jetty-7.6.0.RC3

jetty-7.6.0.RC4

jetty-7.6.0.RC5

jetty-7.6.0.v20120125

jetty-7.6.0.v20120127

jetty-7.6.1.v20120215

jetty-7.6.10.v20130312

jetty-7.6.11.v20130520

jetty-7.6.11.v20130725

jetty-7.6.12.v20130726

jetty-7.6.13.v20130910

jetty-7.6.2.v20120302

jetty-7.6.2.v20120308

jetty-7.6.3.v20120413

jetty-7.6.3.v20120416

jetty-7.6.4.v20120522

jetty-7.6.4.v20120524

jetty-7.6.5.v20120713

jetty-7.6.5.v20120716

jetty-7.6.6.v20120903

jetty-7.6.7.v20120910

jetty-7.6.8.v20121106

jetty-7.6.9.v20130131

jetty-8.*

jetty-8.0.0.RC0

jetty-8.0.0.v20110901

jetty-8.0.1.v20110907

jetty-8.0.1.v20110908

jetty-8.0.2.v20111006

jetty-8.0.3.v20111011

jetty-8.0.4.v20111024

jetty-8.1.0.RC0

jetty-8.1.0.RC1

jetty-8.1.0.RC2

jetty-8.1.0.RC4

jetty-8.1.0.RC5

jetty-8.1.0.v20120125

jetty-8.1.0.v20120127

jetty-8.1.1.v20120215

jetty-8.1.10.v20130312

jetty-8.1.11.v20130520

jetty-8.1.12.v20130725

jetty-8.1.12.v20130726

jetty-8.1.13.v20130910

jetty-8.1.13.v20130916

jetty-8.1.2.v20120302

jetty-8.1.2.v20120308

jetty-8.1.3.v20120413

jetty-8.1.3.v20120416

jetty-8.1.4.v20120522

jetty-8.1.4.v20120524

jetty-8.1.5.v20120713

jetty-8.1.5.v20120716

jetty-8.1.6.v20120903

jetty-8.1.7.v20120910

jetty-8.1.8.v20121106

jetty-8.1.9.v20130131

jetty-9.*

jetty-9.0.0.M0

jetty-9.0.0.M1

jetty-9.0.0.M2

jetty-9.0.0.M3

jetty-9.0.0.M4

jetty-9.0.0.M5

jetty-9.0.0.RC0

jetty-9.0.0.RC1

jetty-9.0.0.RC2

jetty-9.0.0.RC3

jetty-9.0.0.v20130308

jetty-9.0.1.v20130408

jetty-9.0.2.v20130417

jetty-9.0.2.v20140415

jetty-9.0.3.v20130506

jetty-9.0.4.v20130621

jetty-9.0.4.v20130625

jetty-9.0.5.v20130813

jetty-9.0.5.v20130815

jetty-9.0.6.v20130919

jetty-9.0.6.v20130930

jetty-9.0.7.v20131031

jetty-9.0.7.v20131107

jetty-9.0.x

jetty-9.1.0.M0

jetty-9.1.0.RC0

jetty-9.1.0.RC1

jetty-9.1.0.RC2

jetty-9.1.0.v20131115

jetty-9.1.1.v20140108

jetty-9.1.2.v20140210

jetty-9.1.3.v20140225

jetty-9.1.4.v20140401

jetty-9.2.0.M0

jetty-9.2.0.M1

jetty-9.2.0.RC0

jetty-9.2.0.v20140523

jetty-9.2.0.v20140526

jetty-9.2.1.v20140609

jetty-9.2.10.v20150310

jetty-9.2.11.M0

jetty-9.2.11.v20150528

jetty-9.2.11.v20150529

jetty-9.2.12.M0

jetty-9.2.12.v20150709

jetty-9.2.13.v20150730

jetty-9.2.14.v20151106

jetty-9.2.15.v20160210

jetty-9.2.16.v20160414

jetty-9.2.17.v20160517

jetty-9.2.18.v20160721

jetty-9.2.19.v20160908

jetty-9.2.2.v20140723

jetty-9.2.20.v20161216

jetty-9.2.21.v20170120

jetty-9.2.22.v20170606

jetty-9.2.23.v20171218

jetty-9.2.24.v20180105

jetty-9.2.25.v20180606

jetty-9.2.26.v20180806

jetty-9.2.27.v20190403

jetty-9.2.28.v20190418

jetty-9.2.29.v20191105

jetty-9.2.3.v20140905

jetty-9.2.4.v20141103

jetty-9.2.5.v20141112

jetty-9.2.6.v20141203

jetty-9.2.6.v20141205

jetty-9.2.7.v20150116

jetty-9.2.8.v20150217

jetty-9.2.9.v20150224

jetty-9.3.0.M0

jetty-9.3.0.v20150612

jetty-9.3.1.v20150714

jetty-9.3.10.M0

jetty-9.3.10.v20160621

jetty-9.3.11.M0

jetty-9.3.11.v20160721

jetty-9.3.12.v20160915

jetty-9.3.13.M0

jetty-9.3.13.v20161014

jetty-9.3.14.v20161028

jetty-9.3.15.v20161220

jetty-9.3.16.v20170120

jetty-9.3.17.v20170317

jetty-9.3.18.v20170406

jetty-9.3.19.v20170502

jetty-9.3.20.v20170531

jetty-9.3.21.M0

jetty-9.3.21.v20170918

jetty-9.3.22.v20171030

jetty-9.3.23.v20180228

jetty-9.3.24.v20180605

jetty-9.3.25.v20180904

jetty-9.3.26.v20190403

jetty-9.3.27.v20190418

jetty-9.3.28.v20191105

jetty-9.3.3.v20150825

jetty-9.3.3.v20150827

jetty-9.3.4.v20151007

jetty-9.3.5.v20151012

jetty-9.3.6.v20151106

jetty-9.3.7.RC0

jetty-9.3.7.RC1

jetty-9.3.7.v20160115

jetty-9.3.8.RC0

jetty-9.3.8.v20160314

jetty-9.3.9.M1

jetty-9.3.9.v20160517

jetty-9.4.0.M1

jetty-9.4.0.RC0

jetty-9.4.0.RC1

jetty-9.4.0.RC2

jetty-9.4.0.RC3

jetty-9.4.0.v20161207

jetty-9.4.0.v20161208

jetty-9.4.1.v20170120

jetty-9.4.10.v20180503

jetty-9.4.11.v20180605

jetty-9.4.12.v20180830

jetty-9.4.13.v20181111

jetty-9.4.14.v20181114

jetty-9.4.15.v20190215

jetty-9.4.16.v20190411

jetty-9.4.17.v20190418

jetty-9.4.18.v20190429

jetty-9.4.19.v20190610

jetty-9.4.2.v20170220

jetty-9.4.20.v20190813

jetty-9.4.21.v20190926

jetty-9.4.22.v20191022

jetty-9.4.23.v20191118

jetty-9.4.24.v20191120

jetty-9.4.25.v20191220

jetty-9.4.26.v20200117

jetty-9.4.27.v20200227

jetty-9.4.28.v20200408

jetty-9.4.29.v20200521

jetty-9.4.3.v20170317

jetty-9.4.4.v20170414

jetty-9.4.5.v20170502

jetty-9.4.6.v20170531

jetty-9.4.7.v20170914

jetty-9.4.8.v20171121

jetty-9.4.9.v20180320

npn-api-1.*

npn-api-1.0.0.v20120402

npn-api-1.1.0.v20120525