CVE-2020-27218: Medium severity Eclipse Jetty vulnerability

Published Nov 27, 2020
·
Updated

Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body.

The attacker will not see any data, but may inject data into the body of the subsequent request

CVE score is 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a Connection: close to any response where the servlet does not fully consume request content.

Other sources

Eclipse Jetty could allow a remote attacker to bypass security restrictions, caused by a flaw when GZIP request body inflation is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject data into the body of the subsequent request.

IBM

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Affected Software

34 affected componentsFixes available
redhat/jenkins<0:2.289.1.1624365627-1.el7
0:2.289.1.1624365627-1.el7
redhat/jenkins<0:2.277.3.1623846768-1.el7
0:2.277.3.1623846768-1.el7
redhat/jenkins<0:2.277.3.1623853726-1.el8
0:2.277.3.1623853726-1.el8
redhat/jetty<9.4.35.
9.4.35.
redhat/jetty<10.0.0.
10.0.0.
redhat/jetty<11.0.0.
11.0.0.
maven/org.eclipse.jetty:jetty-server>=9.4.0<=9.4.34
9.4.35.v20201120
Eclipse Jetty>=9.4.0<9.4.35
Eclipse Jetty=10.0.0-alpha0
Eclipse Jetty=10.0.0-alpha1
Eclipse Jetty=10.0.0-beta0
Eclipse Jetty=10.0.0-beta1
Eclipse Jetty=10.0.0-beta2
Eclipse Jetty=11.0.0-alpha0
Eclipse Jetty=11.0.0-beta1
Eclipse Jetty=11.0.0-beta2
NetApp OnCommand System Manager>=3.0<=3.1.3
NetApp Snap Creator Framework
Oracle Blockchain Platform<21.1.2
Oracle Communications Converged Application Server - Service Controller=6.2
Oracle Communications Offline Mediation Controller=12.0.0.3.0
Oracle Communications Pricing Design Center=12.0.0.3.0
Oracle Communications Services Gatekeeper=7.0
Oracle Communications Session Route Manager>=8.0.0<=8.2.4
Oracle FLEXCUBE Private Banking=12.0.0
Oracle FLEXCUBE Private Banking=12.1.0
Oracle Hyperion Infrastructure Technology=11.1.2.6.0
Oracle REST Data Services<20.4.3.050.1904
Oracle Retail Eftlink=20.0.0
Oracle Siebel Core - Automation<=21.5
Apache Kafka=2.7.0
Apache Spark=2.4.8
Apache Spark=3.0.3
Debian Debian Linux=10.0

Remediation

Patch Available

https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab@%3Ccommits.spark.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e@%3Ccommits.spark.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25@%3Ccommits.kafka.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29@%3Ccommits.spark.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944@%3Ccommits.kafka.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388@%3Cjira.kafka.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb@%3Ccommits.kafka.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88@%3Cdev.hbase.apache.org%3E

Patch Available

https://www.oracle.com//security-alerts/cpujul2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Nov 27, 2020
CVE Published
12:00 AM
Nov 28, 2020
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Nov 30, 2020
Data Sourced
via Red Hat·07:20 PM
DescriptionSeverityAffected Software
Dec 2, 2020
Advisory Published
via GitHub·06:28 PM
Jun 29, 2021
Data Sourced
via IBM·12:00 AM
DescriptionSeverityAffected Software
May 19, 58337
Event
10:35 AM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for this Eclipse Jetty vulnerability?

The vulnerability ID for this Eclipse Jetty vulnerability is CVE-2020-27218.

2

What is the severity level of CVE-2020-27218?

CVE-2020-27218 has a severity level of medium (4.8).

3

Which versions of Eclipse Jetty are affected by this vulnerability?

Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2 are affected by this vulnerability.

4

How can an attacker exploit CVE-2020-27218?

An attacker can exploit CVE-2020-27218 by sending a request with a body that is larger than the content length.

5

Are there any known remediation steps for this vulnerability?

Yes, upgrading to Eclipse Jetty version 9.4.35, 10.0.0 or 11.0.0 is recommended to remediate this vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203