Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

The version of IBM Cognos Analytics installed on the remote host is prior to 11.1.7 FP8, 11.2.4 FP3, or 12.0.2. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Bulletin No. 7123154, including the following:

  - When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the   allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using   Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which   addresses this issue. (CVE-2023-39410)

  - In order to decrypt SM2 encrypted data an application is expected to call the API function   EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the   'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required   to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call   EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the   implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the   plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by   the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a   second time with a buffer that is too small. A malicious attacker who is able present SM2 content for   decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of   62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour   or causing the application to crash. The location of the buffer is application dependent but is typically   heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). (CVE-2021-3711)

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
  Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using   SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend   upgrading to version 2.0 and beyond. (CVE-2022-1471)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-94843 advisory.

  - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name     or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is     very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become     negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered.
    Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative,     potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by     2. This means that if a user provides a negative length value (or, more precisely, a length value which,     when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive     number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.
    Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions     11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. (CVE-2023-36478)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3641 advisory.

  - In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0     to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are     multiplexed onto a single connection, and if an attacker can send a request with a body that is received     entirely but not consumed by the application, then a subsequent request on the same connection will see     that body prepended to its body. The attacker will not see any data but may inject data into the body of     the subsequent request. (CVE-2020-27218)

  - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name     or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is     very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become     negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered.
    Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative,     potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by     2. This means that if a user provides a negative length value (or, more precisely, a length value which,     when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive     number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.
    Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions     11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. (CVE-2023-36478)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5540 advisory.

  - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name     or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is     very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become     negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered.
    Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative,     potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by     2. This means that if a user provides a negative length value (or, more precisely, a length value which,     when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive     number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.
    Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions     11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. (CVE-2023-36478)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4210-1 advisory.

  - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name     or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is     very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become     negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered.
    Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative,     potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by     2. This means that if a user provides a negative length value (or, more precisely, a length value which,     when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive     number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.
    Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions     11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. (CVE-2023-36478)

  - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the     CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a     request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet     will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command     prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the     user contains a quotation mark followed by a space, the resulting command line will contain multiple     tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
    (CVE-2023-36479)

  - Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and     12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This     is more permissive than allowed by the RFC and other servers routinely reject such requests with 400     responses. There is no known exploit scenario, but it is conceivable that request smuggling could result     if jetty is used in combination with a server that does not close the connection after sending such a 400     response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no     workaround as there is no known exploit scenario. (CVE-2023-40167)

  - Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15     are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested     `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current     request will still treat the user as authenticated. The authentication is then cleared from the session     and subsequent requests will not be treated as authenticated. So a request on a previously authenticated     session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This     impacts usages of the jetty-openid which have configured a nested `LoginService` and where that     `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and     11.0.16 have a patch for this issue. (CVE-2023-41900)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 1ee26d45-6ddb-11ee-9898-00e081b7aa2d advisory.

  - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name     or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is     very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become     negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered.
    Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative,     potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by     2. This means that if a user provides a negative length value (or, more precisely, a length value which,     when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive     number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.
    Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions     11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. (CVE-2023-36478)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.414.3 or Jenkins weekly prior to 2.428. It is, therefore, affected by multiple vulnerabilities:

  - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name     or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is     very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become     negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered.
    Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative,     potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by     2. This means that if a user provides a negative length value (or, more precisely, a length value which,     when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive     number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.
    Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions     11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. (CVE-2023-36478)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193868	IBM Cognos Analytics 11.1.1 < 11.1.7 FP8 / 11.2.x < 11.2.4 FP3 / 12.0.x < 12.0.2 (7123154)	Nessus	CGI abuses	critical
192703	Atlassian Confluence < 7.19.20 / 7.20.x < 8.5.7 (CONFSERVER-94843)	Nessus	CGI abuses	high
184061	Debian DLA-3641-1 : jetty9 - LTS security update	Nessus	Debian Local Security Checks	medium
184060	Debian DSA-5540-1 : jetty9 - security update	Nessus	Debian Local Security Checks	high
183942	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2023:4210-1)	Nessus	SuSE Local Security Checks	medium
183319	FreeBSD : jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty (1ee26d45-6ddb-11ee-9898-00e081b7aa2d)	Nessus	FreeBSD Local Security Checks	high
183316	Jenkins LTS < 2.414.3 / Jenkins weekly < 2.428 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2023-36478

high

Tenable Plugins

critical

high

medium

high

medium

high

high