UBUNTU-CVE-2023-41900

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2023-41900

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-41900.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-41900

Related

CVE-2023-41900

Published

2023-09-15T21:15:00Z

Modified

2024-10-15T14:11:44Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the LoginService. This impacts usages of the jetty-openid which have configured a nested LoginService and where that LoginService will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

References

Affected packages

Ubuntu:Pro:16.04:LTS / jetty9

Package

Name: jetty9
Purl: pkg:deb/ubuntu/jetty9?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.2.14-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / jetty9

Package

Name: jetty9
Purl: pkg:deb/ubuntu/jetty9?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.2.22-2

9.2.22-3

9.2.23-1

9.4.15-1~18.04.1ubuntu1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / jetty9

Package

Name: jetty9
Purl: pkg:deb/ubuntu/jetty9?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.18-2build2

9.4.26-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / jetty9

Package

Name: jetty9
Purl: pkg:deb/ubuntu/jetty9?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.39-3

9.4.44-2

9.4.44-3

9.4.44-4

9.4.45-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / jetty9

Package

Name: jetty9
Purl: pkg:deb/ubuntu/jetty9?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.53-1

9.4.54-1

9.4.55-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / jetty9

Package

Name: jetty9
Purl: pkg:deb/ubuntu/jetty9?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.51-2

9.4.53-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}