GHSA-pwh8-58vv-vw48 · 深刻度: low · エコシステム: maven — Jetty's OpenId Revoked authentication allows one request
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
総合評価: CVE-2023-41900 は公開エクスプロイトあり(50/100)。CVSS 深刻度は低。悪用される可能性が高い(EPSS 0.75%、50 パーセンタイル) 根拠: 公開エクスプロイトが 1 件参照されています(Exploit-DB)。 推奨対応: 公開エクスプロイトが確認されています。影響範囲の確認、緩和策の適用、パッチ適用を優先してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
| EDB-ID | ソース | 種別 | 公開 | リンク |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.14% | 0.75% | +0.61% |
| 2 | 2026-05-03 | 0.19% | 0.14% | -0.05% |
| 3 | 2026-05-02 | — | 0.19% | — |
EPSS の全履歴 (全 12 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 3.5 | 3.1 | LOW |
|
1.8 | 1.4 | [email protected] |
| 4.3 | 3.1 | MEDIUM |
|
2.8 | 1.4 | [email protected] |
GHSA-pwh8-58vv-vw48 · 深刻度: low · エコシステム: maven — Jetty's OpenId Revoked authentication allows one request
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2023-41900 not yet assigned priority: Debian including 1 source packages (jetty9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2023-41900 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2023-41900 |
suse
|
low | CVE-2023-41900 severity low: SUSE including 58 source package names (jetty-annotations-9.4.53-1.1, jetty-annotations-9.4.53-150200.3.22.1, …), 234 product×package rows across 21 product lines (Image server-image, SUSE Enterprise Storage 7.1, … (21 product lines)): Fixed 234. | https://www.suse.com/security/cve/CVE-2023-41900/ |
ubuntu
|
medium | CVE-2023-41900 medium priority: Ubuntu including 1 source packages (jetty9), 12 status rows across 12 suites (bionic, focal, jammy, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): needed 4, not-affected 4, ignored 3, released 1. | https://ubuntu.com/security/CVE-2023-41900 |
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| eclipse | jetty | >= 9.4.21, < 9.4.52 | cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* |
| eclipse | jetty | >= 10.0.0, < 10.0.16 | cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* |
| eclipse | jetty | >= 11.0.0, < 11.0.16 | cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* |
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| debian | debian_linux | 12.0 | cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:* |
| URL | タグ |
|---|---|
| https://github.com/eclipse/jetty.project/pull/9528 | Patch |
| https://github.com/eclipse/jetty.project/pull/9660 | Patch |
| https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48 | Exploit Patch Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20231110-0004/ | Third Party Advisory |
| https://www.debian.org/security/2023/dsa-5507 | Third Party Advisory |