Improper Authentication
CVE-2023-41900
Summary
Jetty is a Java-based web server and servlet engine. In versions 9.4.21 through 9.4.51.v20230217, 10.0.0.beta0 through 10.0.15, and 11.0.0-alpha0 through 11.0.15 are vulnerable to Weak Authentication. If a Jetty "OpenIdAuthenticator" uses the optional nested "LoginService", and that "LoginService" decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the "LoginService". This impacts the usages of the "jetty-openid" which have configured a nested "LoginService" and where that "LoginService" will is capable of rejecting previously authenticated users.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- LOW
- NONE
CWE-287 - Improper Authentication
Improper (or broken) authentication attacks are widespread, and have accounted for many of the worst data breaches in recent years. Improper authentication attacks are a class of vulnerabilities where an attacker impersonates a legitimate user by exploiting weaknesses in either session management or credential management to gain access to the user’s account. This can result in disclosure of sensitive information, and can lead to system compromise, theft, identity theft, and fraud.
References
Advisory Timeline
- Published
