CVE-2023-36479: Jetty vulnerable to errant command quoting in CGI Servlet
(updated )
If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.
if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" "))
execCmd = "\"" + execCmd + "\"";
References
- github.com/advisories/GHSA-3gh6-v5v9-6v9j
- github.com/eclipse/jetty.project
- github.com/eclipse/jetty.project/pull/9516
- github.com/eclipse/jetty.project/pull/9888
- github.com/eclipse/jetty.project/pull/9889
- github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
- lists.debian.org/debian-lts-announce/2023/09/msg00039.html
- nvd.nist.gov/vuln/detail/CVE-2023-36479
- www.debian.org/security/2023/dsa-5507
Detect and mitigate CVE-2023-36479 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →