CVE-2020-27218
moderate-risk
Published 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
Do I need to act?
-
0.60% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
References (234)
Issue Tracking
https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892
Third Party Advisory
https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8
and 214 more references
39
/ 100
moderate-risk
Severity
15/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
22/34 · High