GHSA-qw69-rqj8-6qw8

Source

https://github.com/advisories/GHSA-qw69-rqj8-6qw8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json

Aliases

CVE-2023-26048

Published

2023-04-19T18:15:45Z

Modified

2024-02-20T05:33:41.250857Z

Details

Impact

Servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and a very large content.

This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk.

An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.

A very large number of parts may cause the same problem.

Patches

Patched in Jetty versions

9.4.51.v20230217 - via PR #9345
10.0.14 - via PR #9344
11.0.14 - via PR #9344

Workarounds

Multipart parameter maxRequestSize must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter maxFileSize won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.

References

https://github.com/eclipse/jetty.project/issues/9076
https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload

References

Affected packages

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

9.4.51.v20230217

Affected versions

7.*

7.0.0.M0

7.0.0.M1

7.0.0.M2

7.0.0.M3

7.0.0.M4

7.0.0.RC0

7.0.0.RC1

7.0.0.RC2

7.0.0.RC3

7.0.0.RC4

7.0.0.RC5

7.0.0.RC6

7.0.0.v20091005

7.0.1.v20091125

7.0.2.RC0

7.0.2.v20100331

7.1.0.RC0

7.1.0.RC1

7.1.0.v20100505

7.1.1.v20100517

7.1.2.v20100523

7.1.3.v20100526

7.1.4.v20100610

7.1.5.v20100705

7.1.6.v20100715

7.2.0.RC0

7.2.0.v20101020

7.2.1.v20101111

7.2.2.v20101205

7.3.0.v20110203

7.3.1.v20110307

7.4.0.RC0

7.4.0.v20110414

7.4.1.v20110513

7.4.2.v20110526

7.4.3.v20110701

7.4.4.v20110707

7.4.5.v20110725

7.5.0.RC0

7.5.0.RC1

7.5.0.RC2

7.5.0.v20110901

7.5.1.v20110908

7.5.2.v20111006

7.5.3.v20111011

7.5.4.v20111024

7.6.0.RC0

7.6.0.RC1

7.6.0.RC2

7.6.0.RC3

7.6.0.RC4

7.6.0.RC5

7.6.0.v20120127

7.6.1.v20120215

7.6.2.v20120308

7.6.3.v20120416

7.6.4.v20120524

7.6.5.v20120716

7.6.6.v20120903

7.6.7.v20120910

7.6.8.v20121106

7.6.9.v20130131

7.6.10.v20130312

7.6.11.v20130520

7.6.12.v20130726

7.6.13.v20130916

7.6.14.v20131031

7.6.15.v20140411

7.6.16.v20140903

7.6.17.v20150415

7.6.18.v20150929

7.6.19.v20160209

7.6.20.v20160902

7.6.21.v20160908

8.*

8.0.0.M0

8.0.0.M1

8.0.0.M2

8.0.0.M3

8.0.0.RC0

8.0.0.v20110901

8.0.1.v20110908

8.0.2.v20111006

8.0.3.v20111011

8.0.4.v20111024

8.1.0.RC0

8.1.0.RC1

8.1.0.RC2

8.1.0.RC4

8.1.0.RC5

8.1.0.v20120127

8.1.1.v20120215

8.1.2.v20120308

8.1.3.v20120416

8.1.4.v20120524

8.1.5.v20120716

8.1.6.v20120903

8.1.7.v20120910

8.1.8.v20121106

8.1.9.v20130131

8.1.10.v20130312

8.1.11.v20130520

8.1.12.v20130726

8.1.13.v20130916

8.1.14.v20131031

8.1.15.v20140411

8.1.16.v20140903

8.1.17.v20150415

8.1.18.v20150929

8.1.19.v20160209

8.1.20.v20160902

8.1.21.v20160908

8.1.22.v20160922

8.2.0.v20160908

9.*

9.0.0.M0

9.0.0.M1

9.0.0.M2

9.0.0.M3

9.0.0.M4

9.0.0.M5

9.0.0.RC0

9.0.0.RC1

9.0.0.RC2

9.0.0.v20130308

9.0.1.v20130408

9.0.2.v20130417

9.0.3.v20130506

9.0.4.v20130625

9.0.5.v20130815

9.0.6.v20130930

9.0.7.v20131107

9.1.0.M0

9.1.0.RC0

9.1.0.RC1

9.1.0.RC2

9.1.0.v20131115

9.1.1.v20140108

9.1.2.v20140210

9.1.3.v20140225

9.1.4.v20140401

9.1.5.v20140505

9.1.6.v20160112

9.2.0.M0

9.2.0.M1

9.2.0.RC0

9.2.0.v20140526

9.2.1.v20140609

9.2.2.v20140723

9.2.3.v20140905

9.2.4.v20141103

9.2.5.v20141112

9.2.6.v20141205

9.2.7.v20150116

9.2.8.v20150217

9.2.9.v20150224

9.2.10.v20150310

9.2.11.M0

9.2.11.v20150529

9.2.12.M0

9.2.12.v20150709

9.2.13.v20150730

9.2.14.v20151106

9.2.15.v20160210

9.2.16.v20160414

9.2.17.v20160517

9.2.18.v20160721

9.2.19.v20160908

9.2.20.v20161216

9.2.21.v20170120

9.2.22.v20170606

9.2.23.v20171218

9.2.24.v20180105

9.2.25.v20180606

9.2.26.v20180806

9.2.27.v20190403

9.2.28.v20190418

9.2.29.v20191105

9.2.30.v20200428

9.3.0.M0

9.3.0.M1

9.3.0.M2

9.3.0.RC0

9.3.0.RC1

9.3.0.v20150612

9.3.1.v20150714

9.3.2.v20150730

9.3.3.v20150827

9.3.4.RC0

9.3.4.RC1

9.3.4.v20151007

9.3.5.v20151012

9.3.6.v20151106

9.3.7.RC0

9.3.7.RC1

9.3.7.v20160115

9.3.8.RC0

9.3.8.v20160314

9.3.9.M0

9.3.9.M1

9.3.9.v20160517

9.3.10.M0

9.3.10.v20160621

9.3.11.M0

9.3.11.v20160721

9.3.12.v20160915

9.3.13.M0

9.3.13.v20161014

9.3.14.v20161028

9.3.15.v20161220

9.3.16.v20170120

9.3.17.RC0

9.3.17.v20170317

9.3.18.v20170406

9.3.19.v20170502

9.3.20.v20170531

9.3.21.M0

9.3.21.RC0

9.3.21.v20170918

9.3.22.v20171030

9.3.23.v20180228

9.3.24.v20180605

9.3.25.v20180904

9.3.26.v20190403

9.3.27.v20190418

9.3.28.v20191105

9.3.29.v20201019

9.3.30.v20211001

9.4.0.M0

9.4.0.M1

9.4.0.RC0

9.4.0.RC1

9.4.0.RC2

9.4.0.RC3

9.4.0.v20161208

9.4.0.v20180619

9.4.1.v20170120

9.4.1.v20180619

9.4.2.v20170220

9.4.2.v20180619

9.4.3.v20170317

9.4.3.v20180619

9.4.4.v20170414

9.4.4.v20180619

9.4.5.v20170502

9.4.5.v20180619

9.4.6.v20170531

9.4.6.v20180619

9.4.7.RC0

9.4.7.v20170914

9.4.7.v20180619

9.4.8.v20171121

9.4.8.v20180619

9.4.9.v20180320

9.4.10.RC0

9.4.10.RC1

9.4.10.v20180503

9.4.11.v20180605

9.4.12.RC0

9.4.12.RC1

9.4.12.RC2

9.4.12.v20180830

9.4.13.v20181111

9.4.14.v20181114

9.4.15.v20190215

9.4.16.v20190411

9.4.17.v20190418

9.4.18.v20190429

9.4.19.v20190610

9.4.20.v20190813

9.4.21.v20190926

9.4.22.v20191022

9.4.23.v20191118

9.4.24.v20191120

9.4.25.v20191220

9.4.26.v20200117

9.4.27.v20200227

9.4.28.v20200408

9.4.29.v20200521

9.4.30.v20200611

9.4.31.v20200723

9.4.32.v20200930

9.4.33.v20201020

9.4.34.v20201102

9.4.35.v20201120

9.4.36.v20210114

9.4.37.v20210219

9.4.38.v20210224

9.4.39.v20210325

9.4.40.v20210413

9.4.41.v20210516

9.4.42.v20210604

9.4.43.v20210629

9.4.44.v20210927

9.4.45.v20220203

9.4.46.v20220331

9.4.47.v20220610

9.4.48.v20220622

9.4.49.v20220914

9.4.50.v20221201

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.0.14

Affected versions

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

10.0.10

10.0.11

10.0.12

10.0.13

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.0.14

Affected versions

11.*

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

11.0.8

11.0.9

11.0.10

11.0.11

11.0.12

11.0.13