Double Buffer Release Vulnerability in Eclipse Jetty Server
CVE-2019-17638
Key Information:
- Vendor
The Eclipse Foundation
- Status
- Vendor
- CVE Published:
- 9 July 2020
Badges
What is CVE-2019-17638?
In Eclipse Jetty, improper handling of large HTTP response headers leads to a scenario where response data may be incorrectly shared between clients. Specifically, when Jetty encounters excessive response headers, it incorrectly releases a ByteBuffer to the pool multiple times. This allows two separate threads to access the same buffer simultaneously, which can culminate in one client's response data being overwritten by data meant for another client. This poses significant risks, including potential exposure of sensitive information such as session IDs and authentication credentials. Users are advised to either upgrade to a patched version or increase configuration limits to mitigate this issue.
Affected Version(s)
Eclipse Jetty 9.4.27.v20200227 to 9.4.29.v20200521
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
32% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved