CVE-2020-27223
DOS vulnerability for Quoted Quality CSV headers
5.3
MEDIUM
CVSS 3.1
EPSS 33.8%
Description
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
How to fix CVE-2020-27223
To remediate CVE-2020-27223, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 8.8.2 or later
- —upgrade to 3.1.2 or later
- —upgrade to 9.4.38-1 or later
- —upgrade to 9.4.37 or later
Is CVE-2020-27223 being exploited?
Moderate — EPSS is 33.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- >= 1.13.0, <= 1.13.0
- >= 8.8.1, < 8.8.2
- >= 3.1.1, < 3.1.2
- from 0, < 9.4.38-1
- >= 9.4.6, < 9.4.37
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |