CVE-2020-27223
26.02.2021, 22:15
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.Enginsight
| Vendor | Product | Version |
|---|---|---|
| eclipse | jetty | 9.4.7 ≤ 𝑥 < 9.4.36 |
| eclipse | jetty | 9.4.6:20170531 |
| eclipse | jetty | 9.4.6:20180619 |
| eclipse | jetty | 9.4.36 |
| eclipse | jetty | 9.4.36:20210114 |
| eclipse | jetty | 10.0.0 |
| eclipse | jetty | 11.0.0 |
| apache | nifi | 1.13.0 |
| apache | spark | 3.1.1 |
| netapp | e-series_santricity_os_controller | 11.0.0 ≤ 𝑥 ≤ 11.70.1 |
| netapp | e-series_santricity_web_services | - |
| netapp | element_plug-in_for_vcenter_server | - |
| netapp | hci | - |
| netapp | hci_management_node | - |
| netapp | management_services_for_element_software | - |
| netapp | snap_creator_framework | - |
| netapp | snapcenter | - |
| netapp | snapmanager | - |
| netapp | snapmanager | - |
| netapp | solidfire | - |
| debian | debian_linux | 10.0 |
| apache | solr | 8.8.1 |
| oracle | rest_data_services | 𝑥 < 20.4.3.050.1904 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-407 - Inefficient Algorithmic ComplexityAn algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
References