Skip to main content

Improper Neutralization of Quoting Syntax

CVE-2023-36479

Severity Medium
Score 4.3/10

Summary

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the "CGIServlet" with a very specific command structure may have the wrong command executed. If a user sends a request to an "org.eclipse.jetty.servlets.CGI" Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to "Runtime.exec". If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This vulnerability affects "org.eclipse.jetty.ee10:jetty-ee10-servlets", "org.eclipse.jetty.ee8:jetty-ee8-servlets", and "org.eclipse.jetty.ee9:jetty-ee9-servlets" packages versions 12.0.0.alpha0 through 12.0.0-beta1, and "org.eclipse.jetty:jetty-servlets" package versions through 9.4.51.v20230217, 10.0.0-alpha0 through 10.0.15, and 11.0.0-alpha0 through 11.0.15.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • NONE

CWE-149 - Improper Neutralization of Quoting Syntax

Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Advisory Timeline

  • Published