CVE-2023-36479

Name: CVE-2023-36479
Creator: NVD / NIST
Published: 2023-09-15T19:15:08.387+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

LOWCVSS 3.1/10EPSS 1.01%

Last modified Jun 17, 2026

CVE-2023-36479 is a low-severity vulnerability rated 3.1/10 on the CVSS scale. Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. EPSS estimates a 1.01% chance of exploitation in the next 30 days.

Description

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Metrics

CVSS 3.1

3.1/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

1.01%

58.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-149

Affected Software

Vendor	Product	Versions	Update
Eclipse	Jetty	>= 9.0.0, < 9.4.52	—
Eclipse	Jetty	>= 10.0.0, < 10.0.16	—
Eclipse	Jetty	>= 11.0.0, < 11.0.16	—
Eclipse	Jetty	12.0.0	Alpha1
Debian	Debian Linux	10.0	—
Debian	Debian Linux	11.0	—
Debian	Debian Linux	12.0	—

References

https://github.com/eclipse/jetty.project/pull/9516Patch
https://github.com/eclipse/jetty.project/pull/9888Patch
https://github.com/eclipse/jetty.project/pull/9889Patch
https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9jExploit, Patch, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.htmlMailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Mailing List, Third Party Advisory
https://github.com/eclipse/jetty.project/pull/9516Patch
https://github.com/eclipse/jetty.project/pull/9888Patch
https://github.com/eclipse/jetty.project/pull/9889Patch
https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9jExploit, Patch, Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.htmlMailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Mailing List, Third Party Advisory

Timeline

Published: Sep 15, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-36479?

How severe is CVE-2023-36479?

CVE-2023-36479 has a CVSS score of 3.1/10 (LOW severity). The EPSS model estimates a 1.01% probability of exploitation in the next 30 days.

How do I fix CVE-2023-36479?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-36479?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST