Vulnerability Details : CVE-2019-17638
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).
Products affected by CVE-2019-17638
- cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.28:20200408:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.29:20200521:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-17638
32.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17638
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.4
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
3.9
|
5.5
|
NIST |
CWE ids for CVE-2019-17638
-
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Assigned by:
- emo@eclipse.org (Secondary)
- nvd@nist.gov (Primary)
-
The product performs the same operation on a resource two or more times, when the operation should only be applied once.Assigned by: emo@eclipse.org (Secondary)
References for CVE-2019-17638
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020
-
https://lists.apache.org/thread.html/ra8661fc8c69c647cb06153c1485d48484a833d873f75dfe45937e9de@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] klwilson227 opened a new issue #8060: CVE-2019-17638 jetty server - Pony Mail
-
https://lists.apache.org/thread.html/r521168299e023fb075b57afe33d17ff1d09e8a10e0fd8c775ea0e028@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] codelipenghui closed issue #7970: pulsar-client vulnerability CVE-2019-17638 - Pony Mail
-
http://www.openwall.com/lists/oss-security/2020/08/17/1
oss-security - Vulnerability in Jenkins
-
https://lists.apache.org/thread.html/r4bdd3f7bb6820a79f9416b6667d718a06d269018619a75ce4b759318@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] guyv opened a new issue #7970: pulsar-client vulnerability CVE-2019-17638 - Pony Mail
-
https://lists.apache.org/thread.html/r29073905dc9139d0d7a146595694bf57bb9e35e5ec6aa73eb9c8443a@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] sijie commented on issue #8060: CVE-2019-17638 jetty server - Pony Mail
-
https://lists.apache.org/thread.html/rd98cfd012490cb02caa1a11aaa0cc38bff2d43bcce9b20c2f01063dd@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] abhishekheaven7 closed issue #8203: Pulsar client with version 2.6.1 has critical vulnerability CVE-2019-17638 - Pony Mail
-
https://lists.apache.org/thread.html/r7fc5f2ed49641ea91c433e3cd0fc3d31c0278c87b82b15c33b881415@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] abhishekheaven7 opened a new issue #8203: Pulsar client with version 2.6.1 has critical vulnerability CVE-2019-17638 - Pony Mail
-
https://lists.apache.org/thread.html/rbe1f230e87ea947593145d0072d0097ddb0af10fee1161db8ca1546c@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] sijie closed issue #8060: CVE-2019-17638 jetty server - Pony Mail
-
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list - Pony Mail
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB/
[SECURITY] Fedora 32 Update: eclipse-4.16-11.fc32 - package-announce - Fedora Mailing-Lists
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021
-
https://lists.apache.org/thread.html/r9a2cfa56d30782a0c17a5deb951a622d1f5c8de48e1c3b578ffc2a84@%3Ccommits.pulsar.apache.org%3E
Pony Mail!
-
https://lists.apache.org/thread.html/r378e4cdec15e132575aa1dcb6296ffeff2a896745a8991522e266ad4@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] codelipenghui closed issue #7970: pulsar-client vulnerability CVE-2019-17638 - Pony Mail
-
https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] GLouMcK opened a new issue #9347: Security Vulnerabilities - Black Duck Scan - Pony Mail
-
https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984
564984 – (CVE-2019-17638) CVE Request: Jetty Corrupt Response BufferVendor Advisory
-
https://lists.apache.org/thread.html/r81f58591fb4716fb867b36956f30c7c8ad4ab3f23abc952d9d86a2a0@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] zymap commented on issue #8060: CVE-2019-17638 jetty server - Pony Mail
Jump to