CVE-2020-27223

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Published: Feb 26, 2021
Updated: Nov 8, 2023
CVE: CVE-2020-27223
GHSA: GHSA-m394-8rww-3jr7
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
eclipse / jetty	9.4.6-20170531	9.4.6-20170531.x
eclipse / jetty	9.4.6-20180619	9.4.6-20180619.x
eclipse / jetty	9.4.36-20210114	9.4.36-20210114.x
eclipse / jetty	9.4.36	9.4.36.x
eclipse / jetty	9.4.7	9.4.36
eclipse / jetty	10.0.0	10.0.0.x
eclipse / jetty	11.0.0	11.0.0.x
apache / spark	3.1.1	3.1.1.x
apache / nifi	1.13.0	1.13.0.x
netapp / e-series_santricity_os_controller	11.0.0	11.70.1.x
debian / debian_linux	10.0	10.0.x
apache / solr	8.8.1	8.8.1.x
oracle / rest_data_services	-	20.4.3.050.1904
org.eclipse.jetty / jetty-server	9.4.6	9.4.37
org.eclipse.jetty / jetty-server	10.0.0	10.0.0.x
org.eclipse.jetty / jetty-server	10.0.0	10.0.1
org.eclipse.jetty / jetty-server	11.0.0	11.0.0.x
org.eclipse.jetty / jetty-server	11.0.0	11.0.1

Vulnerability Database

289,599

CVE-2020-27223