CVE-2023-26048: 
Java vulnerability analysis and mitigation

CVE-2023-26048 affects Jetty, a Java-based web server and servlet engine. The vulnerability was discovered in December 2022 and publicly disclosed on April 18, 2023. It affects Jetty versions through 9.4.50, through 10.0.13, and through 11.0.13. The issue occurs in servlets with multipart support that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() methods (GitHub Advisory).

The vulnerability occurs when a client sends a multipart request with a part that has a name but no filename and very large content. Even with the default settings of fileSizeThreshold=0 (which should stream the whole part content to disk), the server may experience an OutOfMemoryError. This happens specifically in servlets annotated with @MultipartConfig when processing multipart requests (GitHub Advisory).

When successfully exploited, this vulnerability can cause a Denial of Service (DoS) condition through OutOfMemoryError. While the server may be able to recover after the OutOfMemoryError and continue its service, it may take some time, affecting system availability. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NetApp Advisory).

The issue has been patched in Jetty versions 9.4.51, 10.0.14, and 11.0.14. For users unable to upgrade, a workaround is available: the multipart parameter maxRequestSize must be set to a non-negative value to limit the whole multipart content. Note that limiting multipart parameter maxFileSize alone is not sufficient as an attacker can send multiple parts that collectively cause memory issues (GitHub Advisory).