Miggo Logo

CVE-2023-26049: Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies

2.4

CVSS Score
3.1

Basic Information

EPSS Score
0.54636%
Published
4/18/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.eclipse.jetty:jetty-servermaven>= 10.0.0, < 10.0.1410.0.14
org.eclipse.jetty:jetty-servermaven>= 11.0.0, < 11.0.1411.0.14
org.eclipse.jetty:jetty-servermaven>= 12.0.0alpha0, < 12.0.0.beta012.0.0.beta0
org.eclipse.jetty:jetty-servermaven< 9.4.51.v202302179.4.51.v20230217

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2023-26049 stems from nonstandard cookie parsing in Jetty. The patches (PR #9339 and #9352) specifically modified the CookieCutter class to address improper handling of quoted values. The parseFields() method in CookieCutter was responsible for splitting cookie headers and failed to terminate quoted values at semicolons, allowing attackers to smuggle cookies. The commit diffs show changes to cookie parsing logic, confirming this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Nonst*n**r* *ooki* p*rsin* in J*tty m*y *llow *n *tt**k*r to smu**l* *ooki*s wit*in ot**r *ooki*s, or ot**rwis* p*r*orm unint*n*** ****vior *y t*mp*rin* wit* t** *ooki* p*rsin* m****nism. I* J*tty s**s * *ooki* V*LU* t**t st*rts wit* `"` (*ou*l* quo

Reasoning

T** vuln*r**ility *V*-****-***** st*ms *rom nonst*n**r* *ooki* p*rsin* in J*tty. T** p*t***s (PR #**** *n* #****) sp**i*i**lly mo*i*i** t** `*ooki**utt*r` *l*ss to ***r*ss improp*r **n*lin* o* quot** v*lu*s. T** `p*rs**i*l*s()` m*t*o* in `*ooki**utt*