CVE-2023-41900 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2023-41900?

CVE-2023-41900 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-41900?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux.

Vulnerability Description

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

CVSS Score

3.5

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Eclipse	Jetty	>= 9.4.21, < 9.4.52
Debian	Debian Linux	11.0

Related Weaknesses (CWE)

CWE-287 CWE-1390

References

https://github.com/eclipse/jetty.project/pull/9528Patch
https://github.com/eclipse/jetty.project/pull/9660Patch
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48ExploitPatchVendor Advisory
https://security.netapp.com/advisory/ntap-20231110-0004/Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Third Party Advisory
https://github.com/eclipse/jetty.project/pull/9528Patch
https://github.com/eclipse/jetty.project/pull/9660Patch
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48ExploitPatchVendor Advisory
https://security.netapp.com/advisory/ntap-20231110-0004/Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Third Party Advisory

FAQ

What is CVE-2023-41900?

CVE-2023-41900 is a vulnerability with a CVSS score of 3.5 (LOW). Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nest...

How severe is CVE-2023-41900?

CVE-2023-41900 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-41900?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux.