Denial of Service Vulnerability in Eclipse Jetty Server
CVE-2020-27223

5.3MEDIUM

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Jetty
Vendor
CVE Published:
26 February 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 26%

What is CVE-2020-27223?

In specific versions of the Eclipse Jetty Server, a vulnerability exists where the server's handling of multiple HTTP Accept headers, particularly with a high number of 'quality' parameters, can lead to significant CPU resource consumption. This excessive load can cause the server to enter a denial of service (DoS) state, resulting in prolonged periods of CPU exhaustion while processing these parameters. This flaw presents a serious challenge for server availability and performance, necessitating immediate attention for affected deployments.

Affected Version(s)

Eclipse Jetty 9.4.6.v20170531

Eclipse Jetty <= 9.4.36.v20210114

Eclipse Jetty 10.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-27223
Created by motikan2010

Jetty-CVE-2020-27223
Created by ttestoo

Jetty_v9.4.31_CVE-2020-27223_beforepatch
Created by hshivhare67

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128
x_refsource_CONFIRM
https://github.com/eclipse/jetty.project/security/advisor...
x_refsource_CONFIRM
https://lists.apache.org/thread.html/r5612dc69e1f79c421fa...
mailing-listx_refsource_MLIST

EPSS Score

26% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.