CVE-2023-26049
Cookie Smuggling vulnerability in jetty-server (Maven)
What is CVE-2023-26049 About?
This vulnerability in Jetty allows for cookie smuggling due to nonstandard cookie parsing. If a cookie value starts with a double quote, Jetty reads until a closing quote, ignoring semicolons, parsing multiple logical cookies as one single cookie. This can lead to security policy bypasses and exfiltration of HttpOnly cookies, with moderate exploitation difficulty.
Affected Software
- org.eclipse.jetty:jetty-server
- >10.0.0, <10.0.14
- >12.0.0alpha0, <12.0.0.beta0
- <9.4.51.v20230217
- >11.0.0, <11.0.14
Technical Details
The vulnerability in Jetty arises from its nonstandard parsing of cookie headers. According to RFCs, cookies are separated by semicolons. However, if Jetty encounters a cookie VALUE that begins with a double quote ("), it deviates from the standard by continuing to read the cookie string until it encounters a matching closing double quote, even if semicolons are present within that quoted string. This behavior allows an attacker to 'smuggle' multiple logical key-value pairs (including other cookie names and values like JSESSIONID) within the value of a single quoted cookie. The server will parse this as one large cookie value. If this composite cookie value is subsequently rendered on a webpage, a malicious attacker could then exfiltrate sensitive cookies (e.g., an HttpOnly JSESSIONID that would otherwise be inaccessible) by injecting it into the quoted cookie string. This also allows for bypassing security policies implemented by intermediaries that inspect standard cookie formats, as the smuggled cookie is not recognized as a separate entity until processed by Jetty.
What is the Impact of CVE-2023-26049?
Successful exploitation may allow attackers to smuggle cookies, bypass security policies, and exfiltrate sensitive HttpOnly cookies, leading to session hijacking or unauthorized access.
What is the Exploitability of CVE-2023-26049?
Exploitation requires moderate complexity, as an attacker needs to craft a specific cookie header that leverages Jetty's nonstandard parsing behavior. No specific authentication is required to initiate the attack, as it targets the cookie parsing mechanism. Privilege requirements are low, as simply making a request with a crafted cookie is sufficient. This is typically a remote vulnerability, exploiting how the server processes HTTP headers. The presence of applications that render cookie values on a page significantly increases the likelihood and impact, as it facilitates exfiltration. The vulnerability relies on Jetty's specific parsing logic when a cookie value begins with a double quote.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| uthrasri | Link | PoC for CVE-2023-26049 |
What are the Available Fixes for CVE-2023-26049?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- <9.4.51.v20230217 → Upgrade to 9.4.51.v20230217
- org.eclipse.jetty:jetty-server
- >10.0.0, <10.0.14 → Upgrade to 10.0.14
- org.eclipse.jetty:jetty-server
- >11.0.0, <11.0.14 → Upgrade to 11.0.14
- org.eclipse.jetty:jetty-server
- >12.0.0alpha0, <12.0.0.beta0 → Upgrade to 12.0.0.beta0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.rfc-editor.org/rfc/rfc6265
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
- https://www.rfc-editor.org/rfc/rfc6265
- https://github.com/eclipse/jetty.project
- https://nvd.nist.gov/vuln/detail/CVE-2023-26049
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
- https://osv.dev/vulnerability/GHSA-p26g-97m4-6q7c
- https://www.rfc-editor.org/rfc/rfc2965
What are Similar Vulnerabilities to CVE-2023-26049?
Similar Vulnerabilities: CVE-2018-8771 , CVE-2019-10020 , CVE-2019-17562 , CVE-2020-13933 , CVE-2021-34440
