Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-36479
CVE-2023-36479:
Java vulnerability analysis and mitigation
Overview
CVE-2023-36479 affects Eclipse Jetty's CgiServlet component. The vulnerability was discovered in the Jetty project's canonical repository, where users of the CgiServlet with specific command structures may experience incorrect command execution. The issue affects versions up to 9.4.51, 10.0.15, 11.0.15, and 12.0.0-beta1, and was patched in versions 9.4.52, 10.0.16, 11.0.16, and 12.0.0-beta2 (GitHub Advisory).
Technical details
The vulnerability occurs when a user sends a request to org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name. The servlet attempts to escape the command by wrapping it in quotation marks. If the original binary name contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one, leading to incorrect command execution through Runtime.exec. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) by NIST with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while GitHub assessed it at 3.5 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N (NVD, GitHub Advisory).
Impact
The vulnerability could allow attackers to execute incorrect commands on the system. For example, if a cgi-bin directory contains a binary named 'exec' and a subdirectory named 'exec" commands' with a file called 'bin1', a specially crafted request could cause the server to execute the 'exec' binary instead of 'bin1', potentially bypassing alias checks and causing unintended behaviors, especially if a command prefix is configured (GitHub Advisory).
Mitigation and workarounds
The primary mitigation is to stop using the org.eclipse.jetty.servlets.CGI Servlet entirely. In Jetty 9.x, 10.x, and 11.x versions, the CGI servlet has been deprecated. In Jetty 12, it has been completely removed. The recommended alternative is to use Fast CGI support instead (GitHub Advisory, Debian Advisory).
Community reactions
Multiple Linux distributions have responded to this vulnerability by issuing security advisories and patches. Debian released security advisories DSA-5507-1 and DLA-3592-1 to address this vulnerability along with other security issues in Jetty (Debian LTS, Debian Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management