In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
Weakness
The product does not release or incorrectly releases a resource before it is made available for re-use.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jetty | Eclipse | 9.4.0 (including) | 9.4.57 (excluding) |
| Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7 | RedHat | jetty-server | * |
| Red Hat Satellite 6.15 for RHEL 8 | RedHat | puppetserver-0:7.17.3.1-1.el8sat | * |
| Red Hat Satellite 6.15 for RHEL 8 | RedHat | puppetserver-0:7.17.3.1-1.el8sat | * |
| Streams for Apache Kafka 2.9.1 | RedHat | jetty-server | * |
| Streams for Apache Kafka 3.0.0 | RedHat | jetty-server | * |
| Jetty9 | Ubuntu | focal | * |
| Jetty9 | Ubuntu | oracular | * |
| Jetty9 | Ubuntu | plucky | * |
| Jetty9 | Ubuntu | upstream | * |
Potential Mitigations
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/125.html
- https://cwe.mitre.org/data/definitions/130.html
- https://cwe.mitre.org/data/definitions/131.html
- https://cwe.mitre.org/data/definitions/494.html
- https://cwe.mitre.org/data/definitions/495.html
- https://cwe.mitre.org/data/definitions/496.html
- https://cwe.mitre.org/data/definitions/666.html