Vulnerability DatabaseCVE-2023-36478

CVE-2023-36478:
Java vulnerability analysis and mitigation

Overview

Eclipse Jetty versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52 contain a vulnerability identified as CVE-2023-36478. The vulnerability was discovered in the HTTP/2 HPACK header processing component, specifically in the MetaDataBuilder.checkSize functionality. This security flaw allows HTTP/2 HPACK header values to exceed their intended size limits due to an integer overflow issue (GitHub Advisory).

Technical details

The vulnerability stems from an integer overflow in MetaDataBuilder.checkSize where the multiplication of length by 4 in the huffman calculation can result in a negative value. When length is very large and huffman is true, the multiplication operation (length * 4) / 3 overflows, causing length to become negative. This negative value, when added to _size, bypasses the size limit check. Additionally, the vulnerability allows for user-entered HPACK header value sizes to be negative, which can lead to very large buffer allocations when the user-entered size is multiplied by 2 later in the process (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Impact

The successful exploitation of this vulnerability can lead to a remote denial of service (DoS) attack. When exploited, an attacker can cause the server to allocate extremely large buffers (up to 2.1GB) repeatedly, potentially exhausting server resources. This can be achieved through specially crafted HTTP/2 requests with manipulated HPACK headers (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in Jetty versions 11.0.16, 10.0.16, and 9.4.53. No workarounds are available, and users are strongly advised to upgrade to the patched versions (GitHub Advisory, Jenkins Advisory).

Community reactions

The vulnerability has received significant attention from major organizations. Jenkins addressed this vulnerability in their security advisory, recommending users to update to Jenkins 2.428 or LTS 2.414.3 (Jenkins Advisory). Debian also released security updates for affected packages in their distributions (Debian Advisory). NetApp has conducted investigations across their product line to identify affected systems (NetApp Advisory).

Additional resources

Source: This report was generated using AI

7.5

Score

Published October 10, 2023

Severity HIGH

CNA Score 7.5

Affected Technologies

Java
Jenkins

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 77.2

Exploitation Probability (EPSS) 1.1

Affected packages and libraries

jetty-xml
jetty-jsp

Sources

Alpine Security Tracker
- Alpine 3.17, 3.18, edge Severity HIGHHas FixAdded at: Oct 17, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
Debian Security Tracker
- Debian 10, 11, 12, 13 Severity HIGHHas FixAdded at: Oct 11, 2023
GitHub Advisory Database
- Maven Severity HIGHHas FixAdded at: Oct 11, 2023
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Oct 29, 2023
NVD
- Linux Severity HIGHHas FixAdded at: Oct 29, 2023
- Windows Severity HIGHHas FixAdded at: Oct 29, 2023