[KAFKA-12400] Upgrade jetty to fix CVE-2020-27223 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0, 2.7.1, 2.6.2
Component/s: None
Labels:
None

Description

CVE-2020-27223 Detail

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Attachments

Issue Links

links to

GitHub Pull Request #10245

Activity

People

Assignee:: Dongjin Lee

Reporter:: Dongjin Lee

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 02/Mar/21 08:11

Updated:: 03/Mar/21 04:48

Resolved:: 03/Mar/21 04:48