Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xdzY5LXJxajgtNnF3OM4AAy3u
OutOfMemoryError for large multipart without filename in Eclipse Jetty
Impact
Servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and a very large content.
This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk.
An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError.
However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.
A very large number of parts may cause the same problem.
Patches
Patched in Jetty versions
- 9.4.51.v20230217 - via PR #9345
- 10.0.14 - via PR #9344
- 11.0.14 - via PR #9344
Workarounds
Multipart parameter maxRequestSize must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
Limiting multipart parameter maxFileSize won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.
References
- https://github.com/eclipse/jetty.project/issues/9076
- https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xdzY5LXJxajgtNnF3OM4AAy3u
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 6 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-qw69-rqj8-6qw8, CVE-2023-26048
References:
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
- https://nvd.nist.gov/vuln/detail/CVE-2023-26048
- https://github.com/eclipse/jetty.project/issues/9076
- https://github.com/eclipse/jetty.project/pull/9344
- https://github.com/eclipse/jetty.project/pull/9345
- https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
- https://security.netapp.com/advisory/ntap-20230526-0001/
- https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217
- https://www.debian.org/security/2023/dsa-5507
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- https://github.com/advisories/GHSA-qw69-rqj8-6qw8
Blast Radius: 24.1
Affected Packages
maven:org.eclipse.jetty:jetty-server
Dependent packages: 3,819Dependent repositories: 34,580
Downloads:
Affected Version Ranges: < 9.4.51.v20230217, >= 11.0.0, < 11.0.14, >= 10.0.0, < 10.0.14
Fixed in: 9.4.51.v20230217, 11.0.14, 10.0.14
All affected versions: 9.4.5-0.v20221201, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.0.13
All unaffected versions: 10.0.14, 10.0.15, 10.0.16, 10.0.17, 10.0.18, 10.0.19, 10.0.20, 11.0.14, 11.0.15, 11.0.16, 11.0.17, 11.0.18, 11.0.19, 11.0.20, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8