CVE-2023-26048

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-26048
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26048.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-26048
Aliases
Downstream
Related
Published
2023-04-18T20:30:20.420Z
Modified
2026-04-10T04:56:31.056976Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
OutOfMemoryError for large multipart without filename in Eclipse Jetty
Details

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

Database specific 
{
    "cwe_ids": [
        "CWE-400"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26048.json"
}
References

Affected packages

Git / github.com/eclipse/jetty.project

Affected ranges

Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b45c405e4544384de066f814ed42ae3dceacdd49
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.4.51"
        }
    ]
}
Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
b9645a17373e4e9b7f30b6c0a07defcea2cb660b
Fixed
976721d0f3e903a243584d47870ad2f2c1bf9e55
Database specific 
{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.0.14"
        }
    ]
}
Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
432f896d7a4555fcc81f38108757ea0aca8788e6
Fixed
4601fe8dd805ce75b69c64466c115a162586641b
Database specific 
{
    "versions": [
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.0.14"
        }
    ]
}

Affected versions

jetty-8.*
jetty-8.0.0.RC0
jetty-8.1.0.RC0
jetty-9.*
jetty-9.1.0.M0
jetty-9.1.0.RC0
jetty-9.1.0.RC1
jetty-9.1.0.RC2
jetty-9.1.0.v20131115
jetty-9.1.1.v20140108
jetty-9.1.2.v20140210
jetty-9.1.3.v20140225
jetty-9.1.4.v20140401
jetty-9.2.0.M0
jetty-9.2.0.M1
jetty-9.2.0.RC0
jetty-9.2.0.v20140523
jetty-9.2.0.v20140526
jetty-9.2.1.v20140609
jetty-9.4.10.v20180503
jetty-9.4.12.v20180830
jetty-9.4.13.v20181111
jetty-9.4.14.v20181114
jetty-9.4.15.v20190215
jetty-9.4.2.v20170220
jetty-9.4.26.v20200117
jetty-9.4.27.v20200227
jetty-9.4.28.v20200408
jetty-9.4.32.v20200930
jetty-9.4.36.v20210114
jetty-9.4.37.v20210219
jetty-9.4.39.v20210325
jetty-9.4.42.v20210604
jetty-9.4.6.v20170531

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26048.json"