Is CVE-2020-27223 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 78%.

What products does CVE-2020-27223 affect?

Tracked products affected include Apache Solr, Apache NiFi, Eclipse Jetty, Spark. Check the version you run to see whether it is affected.

How do I fix CVE-2020-27223?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

← All products

CVE-2020-27223

Q: What is CVE-2020-27223?

CVE-2020-27223 is a medium-severity software vulnerability (CWE-407) with a CVSS score of 5.2. In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of serv

MEDIUM severity · CVSS 5.2 · CWE-407

5.2CVSS MEDIUM

Summary

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Impact & exploitability

Attack vectorAdjacent

Attack complexityLow

Privileges requiredLow

User interactionRequired

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)78%

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Affected products we track (4)

Apache Solr Apache NiFi Eclipse Jetty Spark

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128Advisory
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7Advisory
https://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131
https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78%40%3Cissues.solr.apache.org%3E
https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320%40%3Cusers.solr.apache.org%3E
https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428%40%3Ccommits.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760%40%3Cnotifications.zookeeper.apache.org%3E