SCA: security update for org.eclipse.jetty:jetty-server (GHSA-p26g-97m4-6q7c)

medium Tenable Cloud Security Plugin ID 417211

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an
attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering
with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it
will continue to read the cookie string until it sees a closing quote -- even if a semicolon is
encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as
one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate
cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the
DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into
the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is
enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by
the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14,
11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
(CVE-2023-26049)

See Also

https://github.com/advisories/GHSA-p26g-97m4-6q7c

Plugin Details

Severity: Medium

ID: 417211

Version: Revision 1.17

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-26049

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/18/2023

Vulnerability Publication Date: 4/18/2023

Reference Information

CVE: CVE-2023-26049

cwe: CWE-200