🛡️ CVE-2023-36479
🟢 CVSS 3.5 — Low ⚠️ Exploit Public CWE-149 NVD
3.5
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Details

Severity LOW
CVSS Score 3.5
CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
CWE CWE-149
Public Exploit ⚠️ Yes
Source NVD
Published 2023-09-15
Updated 2026-06-15
Modified 2025-05-27

Affected Packages

Software From version Fixed in
debian-linux
jetty
org.eclipse.jetty:jetty-servlets 11.0.0 11.0.16
org.eclipse.jetty.ee10:jetty-ee10-servlets 12.0.0-beta2
org.eclipse.jetty.ee8:jetty-ee8-servlets 12.0.0-beta2
org.eclipse.jetty.ee9:jetty-ee9-servlets 12.0.0-beta2

References

Mailing List, Third Party Advisory https://www.debian.org/security/2023/dsa-5507
Mailing List, Third Party Advisory https://www.debian.org/security/2023/dsa-5507

Similar Threats

Site Security Check

Concerned your site may already be targeted?

BotEraser analyzes incoming traffic patterns and helps identify bot behavior consistent with known exploit attempts.

Check My Site Free →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.