CVE-2023-41900

Aliases:GHSA-pwh8-58vv-vw48

Advisory lineage Upstream: 0 Downstream: 4

Downstream

DEBIAN-CVE-2023-41900 DSA-5507-1 SUSE-SU-2023:4210-1 UBUNTU-CVE-2023-41900

Modified

Published: 15 Sept 2023, 20:17

Last modified:13 Feb 2025, 17:09

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

4.3 MEDIUM

v3.1 (nvd)

EPSS Score

0.14% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

15 Sept 2023, 20:17

Published

Vulnerability first disclosed

13 Feb 2025, 17:09

Last Modified

Vulnerability information updated

Description

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

CVSS Metrics

v3.1•LOW•Score: 3.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.14%• Percentile: 34%

Techniques & Countermeasures

CWE-1390•Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
CWE-287•Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Systems

debian•debian_linux
11.0 | 12.0
eclipse•jetty
≥ 9.4.21, < 9.4.52 | ≥ 10.0.0, < 10.0.16 | ≥ 11.0.0, < 11.0.16
eclipse•jetty.project
≥ 9.4.21, ≤ 9.4.51 | ≥ 10.0.0, ≤ 10.0.15 | ≥ 11.0.0, ≤ 11.0.15
org.eclipse.jetty•jetty-openid
≥ 9.4.21, < 9.4.52.v20230823 | ≥ 10.0.0, < 10.0.16 | ≥ 11.0.0, < 11.0.16