[GHSA-p26g-97m4-6q7c] Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies

[jeffalder]

Updates

• Affected products

Comments
Similar fix as #2393; The correct version is already specified in the details markdown.

[github]

Hi there @jmcc0nn3ll! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[jeffalder]

@darakian - Just to be clear compared to #2393, can you help me understand what I should do differently? Should I try to update jetty-server's advisory directly?

https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217 - here's the tag that shows that the CVE was fixed in that release

jetty/jetty.project@jetty-9.4.50.v20221201...jetty-9.4.51.v20230217 - here's the diff from the previous release

jetty/jetty.project#9352 - here's the PR that's mentioned in this advisory

https://central.sonatype.com/artifact/org.eclipse.jetty/jetty-server/9.4.51.v20230217 - here's the artifact from Maven Central.

[darakian]

@jeffalder this is perfect from my perspective. Having a release tag which links back to the root issue is 👍
I just wanted to make the point in the last PR that we need to validate things before we accept them. Search through some of the closed and not merged PRs in this repo and I think you'll get what I mean 😉

[advisory-database]

Hi @jeffalder! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[jmcc0nn3ll]

I see; the issue is there is some tooling that is not picking up the nuance of 9.4.51 with that v## date at the end. Do I have that correct?

[darakian]

I suppose you can put it that way. The source advisory that we ingested didn't reference the v## date at the end and it seems that during manual review of the advisory we missed that.

[jmcc0nn3ll]

Sorry, just a bit confused with the process here since I got notified of it. I have no issue with this change or the other in #2393, it is a good clarification, and we'll try and keep it in future CVEs. Do you know if I need to do anything here?

cheers,
Jesse

[darakian]

All good. We have an automated system to ping authors so they're at least in the loop about changes to how the global version of their advisory is being altered. Nothing needed on your end 😃

[jmcc0nn3ll]

Perfect, thanks for keeping us in the loop; I appreciate it!