CVE-2023-41900: 
Java vulnerability analysis and mitigation

Jetty, a Java based web server and servlet engine, versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 were found to be vulnerable to weak authentication. The vulnerability was discovered and disclosed in September 2023, affecting installations using the OpenIdAuthenticator with a nested LoginService configuration (GitHub Advisory).

The vulnerability occurs when a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user. In this scenario, the current request will still treat the user as authenticated, even though the authentication is cleared from the session. This creates a window where subsequent requests will not be treated as authenticated, but the current request maintains authentication status after rejection (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 3.5 LOW with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N (NVD).

The vulnerability allows a request on a previously authenticated session to bypass authentication after it had been rejected by the LoginService. This impacts specifically the usages of jetty-openid which have configured a nested LoginService and where that LoginService is capable of rejecting previously authenticated users (GitHub Advisory).

The vulnerability has been patched in versions 9.4.52, 10.0.16, and 11.0.16. Users are advised to upgrade to these patched versions as there are no known workarounds (GitHub Advisory). The fixes were implemented through pull requests #9528 for versions 10.0.16 and 11.0.16, and #9660 for version 9.4.52 (GitHub PR, GitHub PR).

Multiple organizations have acknowledged and responded to this vulnerability. NetApp has issued an advisory (NTAP-20231110-0004) to address the potential impact on their products (NetApp Advisory). Debian has also released security updates to address this vulnerability along with other Jetty-related issues in their DSA-5507-1 advisory (Debian Advisory).