Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1553

Update Jetty Version to 11.0.15 due to 3rd party vulnerability issues in Jetty (CVE-2023-26048, CVE-2023-26049)

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 2.5.3
    • 2.5.4, 2.6.0
    • None
    • None
    • CVE-2023-26048, CVE-2023-26049

    Description

      Current Situation

      JS7 JOC Cockpit makes use of Jetty 11.0.11. Two vulnerabilities affect this version.

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048

      and

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049

      We rate CVE-2023-26048 as medium.

      The impact is low for the JS7 JOC Cockpit GUI as all multipart requests are created by the UI component which prevents such a scenario.

      The impact for JS7 API usage is higher with tampered request headers being possible as it is the API Client that is responsible for creating request headers.

      We havenĀ“t rated CVE-2023-26049 yet.

      Desired Behavior

      Due to vulnerability Issues of older Jetty releases the JOC Cockpit should use the current version 11.0.15 or newer that fixes the issues.

      Attachments

        Activity

          People

            oh Oliver Haufe
            sp Santiago Aucejo Petzoldt
            Pratishtha Pandey Pratishtha Pandey
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: