CVE-2020-27223

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Weakness

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Affected Software

Name	Vendor	Start Version	End Version
Jetty	Eclipse	9.4.7 (including)	9.4.36 (excluding)
Jetty	Eclipse	9.4.6-20170531 (including)	9.4.6-20170531 (including)
Jetty	Eclipse	9.4.6-20180619 (including)	9.4.6-20180619 (including)
Jetty	Eclipse	9.4.36 (including)	9.4.36 (including)
Jetty	Eclipse	9.4.36-20210114 (including)	9.4.36-20210114 (including)
Jetty	Eclipse	10.0.0 (including)	10.0.0 (including)
Jetty	Eclipse	11.0.0 (including)	11.0.0 (including)
Red Hat AMQ 7.8.2	RedHat	jetty	*
Red Hat AMQ 7.9.0	RedHat		*
Red Hat Fuse 7.10	RedHat	jetty	*
Red Hat Integration Camel Quarkus 2	RedHat		*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-controller-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-log-reader-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-must-gather-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-operator-bundle:v1.4.6-5	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-registry-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-rsync-transfer-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-ui-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-velero-plugin-for-aws-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8:v1.4.6-3	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8:v1.4.6-4	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-velero-restic-restore-helper-rhel8:v1.4.6-5	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-migration-velero-rhel8:v1.4.6-5	*
Red Hat Migration Toolkit for Containers 1.4	RedHat	rhmtc/openshift-velero-plugin-rhel8:v1.4.6-4	*
Red Hat OpenShift Container Platform 3.11	RedHat	jenkins-0:2.289.1.1624365627-1.el7	*
Red Hat OpenShift Container Platform 4.5	RedHat	jenkins-0:2.277.3.1623846768-1.el7	*
Red Hat OpenShift Container Platform 4.6	RedHat	jenkins-0:2.277.3.1623853726-1.el8	*
RHAF Camel-K 1.8	RedHat	jetty	*
Jetty9	Ubuntu	bionic	*
Jetty9	Ubuntu	focal	*
Jetty9	Ubuntu	groovy	*
Jetty9	Ubuntu	hirsute	*
Jetty9	Ubuntu	impish	*
Jetty9	Ubuntu	kinetic	*
Jetty9	Ubuntu	trusty	*
Jetty9	Ubuntu	upstream	*
Jetty9	Ubuntu	xenial	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-27223
CWE	https://cwe.mitre.org/data/definitions/407.html

Inefficient Algorithmic Complexity

Weakness

Affected Software

References