Description
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Details
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| debian-linux | — | — |
| jetty | — | — |
| org.eclipse.jetty:jetty-servlets | 11.0.0 | 11.0.16 |
| org.eclipse.jetty.ee10:jetty-ee10-servlets | — | 12.0.0-beta2 |
| org.eclipse.jetty.ee8:jetty-ee8-servlets | — | 12.0.0-beta2 |
| org.eclipse.jetty.ee9:jetty-ee9-servlets | — | 12.0.0-beta2 |
References
Similar Threats
- Critical CVE-2022-0194
- High CVE-2022-0367
- Medium CVE-2022-0171
- High CVE-2022-0135
- High CVE-2022-0204
Site Security Check
Concerned your site may already be targeted?
BotEraser analyzes incoming traffic patterns and helps identify bot behavior consistent with known exploit attempts.
Check My Site Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.