Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-36478 @ Maven-org.eclipse.jetty.http2:http2-hpack-9.4.12.RC0 #1554

Open
cxronen opened this issue Jun 14, 2024 · 0 comments
Open

CVE-2023-36478 @ Maven-org.eclipse.jetty.http2:http2-hpack-9.4.12.RC0 #1554

cxronen opened this issue Jun 14, 2024 · 0 comments

Comments

@cxronen
Copy link
Owner

cxronen commented Jun 14, 2024

Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2023-36478
Checkmarx Project: cxronen/BookStore_VSCode
Repository URL: https://github.com/cxronen/BookStore_VSCode
Branch: master
Scan ID: 3aaa12b3-552a-4874-ba98-3d364d7d56f6


Eclipse Jetty provides a web server and servlet container.An integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to exceed their size limit. MetaDataBuilder.java determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when the length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, MetaDataBuilder.checkSize allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2.
This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack.
This issue affects the packages org.eclipse.jetty:jetty-http in versions 9.3.0.M0 through 9.4.52.v20230823, 10.0.0-alpha0 through 10.0.15, and 11.0.0-alpha0 through 11.0.15, 12.0.0.alpha0 through 12.0.0.beta1, org.eclipse.jetty.http3:http3-qpack in versions 10.0.8 through 10.0.15, and 11.0.8 through 11.0.15, org.eclipse.jetty.http2:jetty-http2-hpack, org.eclipse.jetty.http3:jetty-http3-qpack in versions 12.0.0.alpha0 through 12.0.0.beta1, and org.eclipse.jetty.http2:http2-hpack versions 9.3.0.M0 through 9.4.52.v20230823, 10.0.0-alpha0 through 10.0.15, and 11.0.0-alpha0 through 11.0.15.


Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: HIGH
Remediation Upgrade Recommendation: 9.4.53.v20231009

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant