Executive Summary

Informations
Name CVE-2023-41900 First vendor Publication 2023-09-15
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Overall CVSS Score 4.3
Base Score 4.3 Environmental Score 4.3
impact SubScore 1.4 Temporal Score 4.3
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact Low
Integrity Impact None Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 315
Os 2

Sources (Detail)

https://github.com/eclipse/jetty.project/pull/9528
https://github.com/eclipse/jetty.project/pull/9660
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
https://security.netapp.com/advisory/ntap-20231110-0004/
https://www.debian.org/security/2023/dsa-5507
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
Date Informations
2024-11-28 14:29:04
  • Multiple Updates
2024-08-02 13:51:18
  • Multiple Updates
2024-08-02 01:33:52
  • Multiple Updates
2024-02-02 02:48:20
  • Multiple Updates
2024-02-01 12:30:58
  • Multiple Updates
2024-01-21 09:27:42
  • Multiple Updates
2023-11-10 21:28:14
  • Multiple Updates
2023-10-17 00:27:41
  • Multiple Updates
2023-09-29 17:27:29
  • Multiple Updates
2023-09-20 21:27:21
  • Multiple Updates
2023-09-19 09:27:22
  • First insertion