Is CVE-2020-27218 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 8%.

What products does CVE-2020-27218 affect?

Tracked products affected include Apache Kafka, Eclipse Jetty, Spark. Check the version you run to see whether it is affected.

How do I fix CVE-2020-27218?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

← All products

CVE-2020-27218

Q: What is CVE-2020-27218?

CVE-2020-27218 is a medium-severity software vulnerability (CWE-226) with a CVSS score of 4.8. In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection

MEDIUM severity · CVSS 4.8 · CWE-226

4.8CVSS MEDIUM

Summary

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactLow

Availability impactLow

Exploit probability (EPSS)8%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected products we track (3)

Apache Kafka Eclipse Jetty Spark

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

CVE-2020-27218

Summary

Impact & exploitability

Affected products we track (3)

Recommendation

Additional information