CVE-2023-41900: Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a ...

Description

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

Metrics

CVSS 3.1

4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.75%

50.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Eclipse	Jetty	>= 9.4.21, < 9.4.52
Eclipse	Jetty	>= 10.0.0, < 10.0.16
Eclipse	Jetty	>= 11.0.0, < 11.0.16
Debian	Debian Linux	11.0
Debian	Debian Linux	12.0

References

https://github.com/eclipse/jetty.project/pull/9528Patch
https://github.com/eclipse/jetty.project/pull/9660Patch
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48Exploit, Patch, Vendor Advisory
https://security.netapp.com/advisory/ntap-20231110-0004/Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Third Party Advisory
https://github.com/eclipse/jetty.project/pull/9528Patch
https://github.com/eclipse/jetty.project/pull/9660Patch
https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48Exploit, Patch, Vendor Advisory
https://security.netapp.com/advisory/ntap-20231110-0004/Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Third Party Advisory

Timeline

Published: Sep 15, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-41900?

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

How severe is CVE-2023-41900?

CVE-2023-41900 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 0.75% probability of exploitation in the next 30 days.

How do I fix CVE-2023-41900?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.