CVE-2020-27223

DEB

MediumConfirmedExploit available

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accep…

CVSS

5.3

Medium

EPSS

0.34

p97

Published

2020-01-01

Updated

2020-01-01

Description

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Tags · CWE

Pre-auth

CWE-400

CWE-407

CAPEC-147

CAPEC-227

CAPEC-492

Affected products

Debian_linux

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Timeline

2020-01-01

Published

2020-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: N

None (N)

Integrity Impact

I: N

None (N)

Availability Impact

A: L

Low (L)

Exploit indicators

EPSS

0.338 · p97

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1499Endpoint Denial of Service

└ via CAPEC-227 · CWE-400

Known exploits — Сканер-ВС

CVE-2020-27223

github-poc · https://github.com/ttestoo/Jetty-CVE-2020-27223

Enterprise

Affected software

Product	Vendor	Status
jenkins		Tracked
jenkins		Tracked
jenkins		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
jetty9		Tracked
debian_linux	*	Tracked

Source databases

DEB

CVE

RED

UBU

Related vulnerabilities

BDU:2022-00250