CVE-2023-26049: 
Java vulnerability analysis and mitigation

Jetty, a Java based web server and servlet engine, contains a vulnerability (CVE-2023-26049) related to nonstandard cookie parsing. The vulnerability was discovered and disclosed in April 2023. When Jetty encounters a cookie VALUE starting with a double quote, it continues reading the cookie string until finding a closing quote, even if semicolons are present. This behavior affects versions through 9.4.50, through 10.0.13, through 11.0.13, and through 12.0.0.alpha3 (GitHub Advisory).

The vulnerability stems from Jetty's cookie parsing mechanism. For example, if a cookie header contains DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d", Jetty will parse it as one cookie with name DISPLAY_LANGUAGE and value b; JSESSIONID=1337; c=d instead of three separate cookies. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows an attacker to smuggle cookies within other cookies. If JSESSIONID is an HttpOnly cookie and DISPLAYLANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAYLANGUAGE cookie and exfiltrate it. This is particularly significant when an intermediary enforces policies based on cookies, as smuggled cookies can bypass these policies while still being processed by the Jetty server (GitHub Advisory).

The vulnerability has been fixed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0. Users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (GitHub Advisory). The fixes were implemented through pull requests #9339 and #9352, which introduced more stringent cookie parsing rules (Jetty PR).