Vulnerability Name:

CVE-2023-26049 (CCN-253355)

Assigned:2023-04-18
Published:2023-04-18
Updated:2023-05-26
Summary:Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.
CVSS v3 Severity:2.4 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)
2.1 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
4.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)
3.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:6.1 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:M/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Multiple_Instances
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2023-26049

Source: XF
Type: UNKNOWN
eclipse-cve202326049-info-disc(253355)

Source: security-advisories@github.com
Type: Patch
security-advisories@github.com

Source: security-advisories@github.com
Type: Patch
security-advisories@github.com

Source: CCN
Type: Jetty GIT Repository
Cookie parsing of quoted values can exfiltrate values from other cookies

Source: security-advisories@github.com
Type: Patch, Vendor Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: UNKNOWN
security-advisories@github.com

Source: CCN
Type: IBM Security Bulletin 6995451 (Business Automation Workflow)
A CVE-2023-26049 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow

Source: CCN
Type: IBM Security Bulletin 6998727 (Cloud Pak for Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business

Source: CCN
Type: IBM Security Bulletin 7001787 (Operational Decision Manager)
IBM Operational Decision Manager May 2023 - Multiple CVEs

Source: CCN
Type: IBM Security Bulletin 7001793 (App Connect Enterprise Toolkit)
Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit

Source: CCN
Type: IBM Security Bulletin 7009729 (Rational Functional Tester)
An Eclipse Jetty vulnerability affects IBM Rational Functional Tester

Source: CCN
Type: IBM Security Bulletin 7011337 (Sterling Connect:Direct Web Services)
IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 7014659 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7014905 (Sterling Connect:Direct Browser User Interface)
IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty.

Source: CCN
Type: IBM Security Bulletin 7014917 (Rational Change)
Multiple Vulnerabilities in Rational Change 5.3.2 Fix Pack 05 and earlier versions.

Source: CCN
Type: IBM Security Bulletin 7014919 (Rational Synergy)
Multiple Vulnerabilities in Rational Synergy 7.2.2 Fix Pack 05 and earlier versions.

Source: CCN
Type: IBM Security Bulletin 7015809 (Cloud Pak for Data System)
Vulnerability in jetty-http affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2023-26049]

Source: CCN
Type: Mend Vulnerability Database
CVE-2023-26049

Source: security-advisories@github.com
Type: Technical Description
security-advisories@github.com

Source: security-advisories@github.com
Type: Technical Description
security-advisories@github.com

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:eclipse:jetty:9.4.50:*:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:11.0.13:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operational_decision_manager:8.10:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8142
    P
    		Security update for jetty-minimal (Moderate)
    2023-06-19
    BACK
    eclipse jetty 9.4.50
    eclipse jetty 11.0.13
    ibm app connect 11.0.0.1
    ibm rational functional tester 9.5
    ibm operational decision manager 8.10
    ibm cloud transformation advisor 2.0.1
    ibm cloud pak for automation 19.0.3
    ibm business automation workflow 19.0.0.3
    ibm cloud pak for automation 20.0.1
    ibm cloud pak for automation 20.0.2
    ibm cloud pak for automation 20.0.3
    ibm cloud pak for automation 21.0.1
    ibm app connect enterprise 12.0.1.0
    ibm cloud pak for automation 21.0.2 -
    ibm cloud pak for automation 19.0.1
    ibm cloud pak for automation 19.0.2
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm cloud pak for business automation 22.0.1 -
    ibm cloud pak for business automation 22.0.2 -