CVE-2020-27218

EPSS 0.6%
Published 28.11.2020 01:15:11
Last modified 21.11.2024 05:20:52
Source emo@eclipse.org
Teams watchlist Login
Open Login

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Affected products Warnungen 0 Metrics 3 CWE 1 References 120

Data is provided by the National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version >= 9.4.0 < 9.4.35

Eclipse ≫ Jetty Version10.0.0 Updatealpha0

Eclipse ≫ Jetty Version10.0.0 Updatealpha1

Eclipse ≫ Jetty Version10.0.0 Updatebeta0

Eclipse ≫ Jetty Version10.0.0 Updatebeta1

Eclipse ≫ Jetty Version10.0.0 Updatebeta2

Eclipse ≫ Jetty Version11.0.0 Updatealpha0

Eclipse ≫ Jetty Version11.0.0 Updatebeta1

Eclipse ≫ Jetty Version11.0.0 Updatebeta2

Netapp ≫ Oncommand System Manager Version >= 3.0 <= 3.1.3

Netapp ≫ Snap Creator Framework Version-

Oracle ≫ Blockchain Platform Version < 21.1.2

Oracle ≫ Communications Converged Application Server - Service Controller Version6.2

Oracle ≫ Communications Offline Mediation Controller Version12.0.0.3.0

Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0

Oracle ≫ Communications Services Gatekeeper Version7.0

Oracle ≫ Communications Session Route Manager Version >= 8.0.0 <= 8.2.4

Oracle ≫ Flexcube Private Banking Version12.0.0

Oracle ≫ Flexcube Private Banking Version12.1.0

Oracle ≫ Hyperion Infrastructure Technology Version11.1.2.6.0

Oracle ≫ Rest Data Services SwEdition- Version < 20.4.3.050.1904

Oracle ≫ Retail Eftlink Version20.0.0

Oracle ≫ Siebel Core - Automation Version <= 21.5

Apache ≫ Kafka Version2.7.0

Apache ≫ Spark Version2.4.8

Apache ≫ Spark Version3.0.3

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.6%	0.686

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:N/I:P/A:P

CWE-226 Sensitive Information in Resource Not Removed Before Reuse

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

Issue Tracking

https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E