[JOC-1553] Update Jetty Version to 11.0.15 due to 3rd party vulnerability issues in Jetty (CVE-2023-26048, CVE-2023-26049) - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.5.3
Fix Version/s: 2.5.4, 2.6.0
Component/s: None
Labels:
None

CVE-ID:
CVE-2023-26048, CVE-2023-26049

Description

Current Situation

JS7 JOC Cockpit makes use of Jetty 11.0.11. Two vulnerabilities affect this version.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048

and

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049

We rate CVE-2023-26048 as medium.

The impact is low for the JS7 JOC Cockpit GUI as all multipart requests are created by the UI component which prevents such a scenario.

The impact for JS7 API usage is higher with tampered request headers being possible as it is the API Client that is responsible for creating request headers.

We haven´t rated CVE-2023-26049 yet.

Desired Behavior

Due to vulnerability Issues of older Jetty releases the JOC Cockpit should use the current version 11.0.15 or newer that fixes the issues.

Attachments

Activity

People

Assignee:: Oliver Haufe

Reporter:: Santiago Aucejo Petzoldt

Approver:: Pratishtha Pandey

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07 June 2023 12:33

Updated:: 26 June 2023 18:36

Resolved:: 13 June 2023 16:15