CVE-2023-36479
Improper Command Handling vulnerability in jetty-servlets (Maven)

Improper Command Handling No known exploit

What is CVE-2023-36479 About?

This vulnerability in `org.eclipse.jetty.servlets.CGI` allows for the execution of an unintended binary instead of the one specified by the user. If a user provides a binary name with a specific quotation mark and space pattern, Jetty's escaping mechanism incorrectly tokenizes the command. This leads to the invocation of an arbitrary, unexpected program, with the ease of exploitation depending on the specific file system structure.

Affected Software

  • org.eclipse.jetty:jetty-servlets
    • >9.0.0, <9.4.52
    • >11.0.0, <11.0.16
    • >10.0.0, <10.0.16
  • org.eclipse.jetty.ee10:jetty-ee10-servlets
    • <12.0.0-beta2
  • org.eclipse.jetty.ee9:jetty-ee9-servlets
    • <12.0.0-beta2
  • org.eclipse.jetty.ee8:jetty-ee8-servlets
    • <12.0.0-beta2

Technical Details

The vulnerability in org.eclipse.jetty.servlets.CGI occurs due to improper command escaping when handling binary names containing spaces. Specifically, if execCmd (the binary path) contains a space but isn't already quoted, the servlet wraps it in quotation marks: execCmd = """ + execCmd + """. However, if the user-supplied binary name already contains a quotation mark followed by a space (e.g., file" name "here), the escaping logic produces an invalid command line string like "file" name "here". When this malformed string is passed to Runtime.exec, the operating system interprets file as the executable and name "here" as arguments, rather than executing the intended file" name "here" as a single binary. This allows an attacker to control which program is executed by crafting a specific filename that, when escaped, results in a different, existing binary being invoked. The useFullPath setting also plays a role; if off, the attack doesn't rely on the existence check and broadens the attack surface.

What is the Impact of CVE-2023-36479?

Successful exploitation may allow attackers to execute unintended programs on the server, potentially leading to unauthorized operations, bypass of security controls, or denial of service.

What is the Exploitability of CVE-2023-36479?

Exploitation requires a very specific command structure within the cgi-bin directory or a similar setup where the org.eclipse.jetty.servlets.CGI Servlet is in use. The attack involves crafting a request referencing a binary name that, due to Jetty's flawed escaping, causes a different binary to be executed. This is typically a remote exploitation scenario via HTTP requests to the servlet. No specific authentication or elevated privileges are inherently required, as the vulnerability lies in how user-supplied input to the CGI servlet is processed. The complexity is moderate due to the need for a precise filename format and existing binaries that can be inadvertently triggered. The presence of the deprecated org.eclipse.jetty.servlets.CGI Servlet is the primary risk factor.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-36479?

Available Upgrade Options

  • org.eclipse.jetty:jetty-servlets
    • >9.0.0, <9.4.52 → Upgrade to 9.4.52
  • org.eclipse.jetty:jetty-servlets
    • >10.0.0, <10.0.16 → Upgrade to 10.0.16
  • org.eclipse.jetty:jetty-servlets
    • >11.0.0, <11.0.16 → Upgrade to 11.0.16
  • org.eclipse.jetty.ee8:jetty-ee8-servlets
    • <12.0.0-beta2 → Upgrade to 12.0.0-beta2
  • org.eclipse.jetty.ee10:jetty-ee10-servlets
    • <12.0.0-beta2 → Upgrade to 12.0.0-beta2
  • org.eclipse.jetty.ee9:jetty-ee9-servlets
    • <12.0.0-beta2 → Upgrade to 12.0.0-beta2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-36479?

Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-41006 , CVE-2020-13936 , CVE-2019-10080 , CVE-2018-8032

All Rights reserved 2025
Privacy Policy