test(deps): update dependency org.eclipse.jetty:jetty-server to v9.4.51.v20230217 [security] #332
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.4.44.v20210927
->9.4.51.v20230217
GitHub Vulnerability Alerts
CVE-2023-26048
Impact
Servlets with multipart support (e.g. annotated with
@MultipartConfig
) that callHttpServletRequest.getParameter()
orHttpServletRequest.getParts()
may causeOutOfMemoryError
when the client sends a multipart request with a part that has a name but no filename and a very large content.This happens even with the default settings of
fileSizeThreshold=0
which should stream the whole part content to disk.An attacker client may send a large multipart request and cause the server to throw
OutOfMemoryError
.However, the server may be able to recover after the
OutOfMemoryError
and continue its service -- although it may take some time.A very large number of parts may cause the same problem.
Patches
Patched in Jetty versions
Workarounds
Multipart parameter
maxRequestSize
must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).Limiting multipart parameter
maxFileSize
won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.References
CVE-2023-26049
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.
If Jetty sees a cookie VALUE that starts with
"
(double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.So, a cookie header such as:
DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"
will be parsed as one cookie, with the nameDISPLAY_LANGUAGE
and a value ofb; JSESSIONID=1337; c=d
instead of 3 separate cookies.
Impact
This has security implications because if, say,
JSESSIONID
is anHttpOnly
cookie, and theDISPLAY_LANGUAGE
cookie value is rendered on the page, an attacker can smuggle theJSESSIONID
cookie into theDISPLAY_LANGUAGE
cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.Patches
Workarounds
No workarounds
References
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.