CVE-2023-41900

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.5 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Affected Products (NVD)
VendorProductVersion
eclipsejetty
9.4.21 ≤
𝑥
< 9.4.52
eclipsejetty
10.0.0 ≤
𝑥
< 10.0.16
eclipsejetty
11.0.0 ≤
𝑥
< 11.0.16
debiandebian_linux
11.0
debiandebian_linux
12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jetty9
bookworm
9.4.50-4+deb12u3
fixed
bookworm (security)
9.4.50-4+deb12u3
fixed
bullseye
9.4.50-4+deb11u2
fixed
bullseye (security)
9.4.50-4+deb11u2
fixed
buster
not-affected
sid
9.4.56-1
fixed
trixie
9.4.56-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jetty9
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
jetty-http
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-io
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-security
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-server
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-servlet
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-util
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-util-ajax
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
Common Weakness Enumeration
References
https://github.com/eclipse/jetty.project/pull/9528
https://github.com/eclipse/jetty.project/pull/9660
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
https://security.netapp.com/advisory/ntap-20231110-0004/
https://www.debian.org/security/2023/dsa-5507
https://github.com/eclipse/jetty.project/pull/9528
https://github.com/eclipse/jetty.project/pull/9660
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
https://security.netapp.com/advisory/ntap-20231110-0004/
https://www.debian.org/security/2023/dsa-5507