CVE-2023-26048
Denial of Service vulnerability in jetty-server (Maven)
What is CVE-2023-26048 About?
This vulnerability in servlets with multipart support can lead to a Denial of Service (DoS) due to OutOfMemoryError. When processing multipart requests with a very large content part (without a filename) or a very large number of parts, the server may exhaust its memory. An attacker can easily exploit this by sending specially crafted multipart requests.
Affected Software
- org.eclipse.jetty:jetty-server
- >10.0.0, <10.0.14
- <9.4.51.v20230217
- >11.0.0, <11.0.14
Technical Details
The vulnerability affects servlets configured with @MultipartConfig that process multipart requests. When the HttpServletRequest.getParameter() or HttpServletRequest.getParts() methods are called, and the client sends a multipart request containing a part with a name but no filename, and an excessively large content size, the server attempts to buffer this large content in memory even with fileSizeThreshold=0. This unexpected in-memory processing, especially when combined with many such parts, causes the JVM to run out of memory (OutOfMemoryError), leading to a Denial of Service. Even if the server recovers, there's a period of unavailability.
What is the Impact of CVE-2023-26048?
Successful exploitation may allow attackers to exhaust server memory, leading to an OutOfMemoryError, which can crash the application or cause a temporary, severe denial of service.
What is the Exploitability of CVE-2023-26048?
Exploitation involves sending specially crafted multipart requests that are either extremely large in content for a single part without a filename, or distributed across a very large number of parts. The complexity is low, as it primarily requires constructing a large HTTP multipart request. No specific authentication or privileges are mentioned as necessary for initiating such requests; any client capable of sending multipart data to the servlet can attempt exploitation. This is a remote exploitation vector. The risk factors for exploitation include exposed multipart-enabled servlets and inadequate server-side input validation or resource limits on multipart request sizes and part counts. Workarounds like setting maxRequestSize help mitigate the risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Trinadh465 | Link | PoC for CVE-2023-26048 |
What are the Available Fixes for CVE-2023-26048?
About the Fix from Resolved Security
The patch enforces limits on the total number and cumulative size of form data keys in multipart requests by introducing configurable maximums and rejecting requests that exceed them. This fixes CVE-2023-26048 by preventing attackers from abusing multipart form uploads to exhaust server resources through excessive or oversized form fields, thereby mitigating potential denial-of-service scenarios.
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- <9.4.51.v20230217 → Upgrade to 9.4.51.v20230217
- org.eclipse.jetty:jetty-server
- >10.0.0, <10.0.14 → Upgrade to 10.0.14
- org.eclipse.jetty:jetty-server
- >11.0.0, <11.0.14 → Upgrade to 11.0.14
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-26048
- https://github.com/eclipse/jetty.project
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- https://osv.dev/vulnerability/GHSA-qw69-rqj8-6qw8
- https://github.com/eclipse/jetty.project/pull/9344
- https://github.com/eclipse/jetty.project/pull/9345
- https://github.com/eclipse/jetty.project/issues/9076
What are Similar Vulnerabilities to CVE-2023-26048?
Similar Vulnerabilities: CVE-2022-38750 , CVE-2023-1428 , CVE-2023-28952 , CVE-2022-29977 , CVE-2022-3103
