Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Metrics
Affected Vendors & Products
References
History
Wed, 25 Sep 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-09-15T18:37:35.948Z
Updated: 2024-09-25T15:04:37.795Z
Reserved: 2023-06-21T18:50:41.704Z
Link: CVE-2023-36479
Vulnrichment
Updated: 2024-08-02T16:45:57.116Z
NVD
Status : Modified
Published: 2023-09-15T19:15:08.387
Modified: 2024-11-21T08:09:47.847
Link: CVE-2023-36479
Redhat