CVE-2020-27223

Published Feb 26, 2021

Last updated 9 months ago

CVSS medium 5.2

Overview

Description: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Source: emo@eclipse.org
NVD status: Modified
Products: jetty, nifi, spark, e-series_santricity_os_controller, e-series_santricity_web_services, element_plug-in_for_vcenter_server, hci, hci_management_node, management_services_for_element_software, snap_creator_framework, snapcenter, snapmanager, solidfire, debian_linux, solr, rest_data_services

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4.3
Impact score: 2.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:N/I:N/A:P

Weaknesses

emo@eclipse.org: CWE-407
nvd@nist.gov: CWE-400

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "F30DCAA9-4998-4E2F-9341-8E0F1752CB92",
            "versionEndExcluding": "9.4.36",
            "versionStartIncluding": "9.4.7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*",
            "matchCriteriaId": "16872138-6AF5-418F-998F-1220DA602AE9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:*",
            "matchCriteriaId": "3211336E-0EE6-4676-AEFA-A778176C0ECE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:9.4.36:-:*:*:*:*:*:*",
            "matchCriteriaId": "23BC90F3-4107-46B6-8135-42374512EDDA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:9.4.36:20210114:*:*:*:*:*:*",
            "matchCriteriaId": "F8B77C51-6991-4C6B-9112-AC87B0E9D530",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:10.0.0:-:*:*:*:*:*:*",
            "matchCriteriaId": "5737CF3E-AA46-45DD-801A-E22ACCDB00CD",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*",
            "matchCriteriaId": "52F4E0D3-9709-4073-9DE0-F36CDD3DB62F",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:nifi:1.13.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "12AA1D39-F2E2-48E7-9D9F-49F5E52F29B0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:spark:3.1.1:-:*:*:*:*:*:*",
            "matchCriteriaId": "16A8F28D-5F62-4F99-9292-20E039E0756B",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "FF971916-C526-43A9-BD80-985BCC476569",
            "versionEndIncluding": "11.70.1",
            "versionStartIncluding": "11.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*",
            "matchCriteriaId": "1AEFF829-A8F2-4041-8DDF-E705DB3ADED2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "214712B6-59AF-4B5E-84BF-AF3C74A390EA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "8A6E548F-62E9-40CB-85DA-FDAA0F0096C6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "86B51137-28D9-41F2-AFA2-3CC22B4954D1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "9F4754FB-E3EB-454A-AB1A-AE3835C5350C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*",
            "matchCriteriaId": "26A2B713-7D6D-420A-93A4-E0D983C983DF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*",
            "matchCriteriaId": "64DE38C8-94F1-4860-B045-F33928F676A8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:solr:8.8.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "42672AEA-5920-4951-ADCF-5D5AA4AB4A77",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "D0AFFDC9-8EBA-45A2-AD53-18E663AF4631",
            "versionEndExcluding": "20.4.3.050.1904",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

Related CVEs

References