CVE-2020-27223: Medium severity Eclipse Jetty vulnerability
Eclipse Jetty is vulnerable to a denial of service, caused by an error when handling a request containing multiple Accept headers with a large number of quality parameters. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to exhaust minutes of CPU time.
Other sources
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Affected Software
Remediation
Patch Available
Event History
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
What is CVE-2020-27223?
CVE-2020-27223 is a vulnerability in Eclipse Jetty that can cause denial of service (DoS) due to high CPU usage.
Which versions of Eclipse Jetty are affected by CVE-2020-27223?
Eclipse Jetty versions 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 are affected.
What is the severity of CVE-2020-27223?
CVE-2020-27223 has a severity score of 5.3, which is classified as medium.
How can I fix CVE-2020-27223?
To fix CVE-2020-27223, update Eclipse Jetty to version 9.4.37.v20210219 or 10.0.1, or upgrade to version 11.0.1.
Where can I find more information about CVE-2020-27223?
More information about CVE-2020-27223 can be found at the following references: [link1](https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128), [link2](https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1934117).