{"id":"CVE-2023-36479","summary":"Jetty vulnerable to errant command quoting in CGI Servlet","details":"Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.","aliases":["GHSA-3gh6-v5v9-6v9j"],"modified":"2026-04-02T09:07:47.715646Z","published":"2023-09-15T18:37:35.948Z","related":["CGA-4jch-hfv5-2v2v","SUSE-SU-2023:4210-1","openSUSE-SU-2024:13329-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/36xxx/CVE-2023-36479.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-149"]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/36xxx/CVE-2023-36479.json"},{"type":"ADVISORY","url":"https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36479"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5507"},{"type":"FIX","url":"https://github.com/eclipse/jetty.project/pull/9516"},{"type":"FIX","url":"https://github.com/eclipse/jetty.project/pull/9888"},{"type":"FIX","url":"https://github.com/eclipse/jetty.project/pull/9889"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse/jetty.project","events":[{"introduced":"1237b739c787a75a5f9e1f495b3f2c8284761499"},{"last_affected":"b45c405e4544384de066f814ed42ae3dceacdd49"}],"database_specific":{"versions":[{"introduced":"9.0.0"},{"last_affected":"9.4.51"}]}},{"type":"GIT","repo":"https://github.com/eclipse/jetty.project","events":[{"introduced":"b9645a17373e4e9b7f30b6c0a07defcea2cb660b"},{"last_affected":"68017dbd00236bb7e187330d7585a059610f661d"}],"database_specific":{"versions":[{"introduced":"10.0.0"},{"last_affected":"10.0.15"}]}},{"type":"GIT","repo":"https://github.com/eclipse/jetty.project","events":[{"introduced":"432f896d7a4555fcc81f38108757ea0aca8788e6"},{"last_affected":"5bc5e562c8d05c5862505aebe5cf83a61bdbcb96"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"last_affected":"11.0.15"}]}},{"type":"GIT","repo":"https://github.com/eclipse/jetty.project","events":[{"introduced":"0"},{"last_affected":"f98b345a28fcefbf1fa8e16dc4b44605b68f2c62"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"12.0.0-beta1"}]}}],"versions":["PRE-MERGE-20120719-1138","jetty-10.0.0","jetty-10.0.0-alpha0","jetty-10.0.0.alpha1","jetty-10.0.0.alpha2","jetty-10.0.0.beta0","jetty-10.0.0.beta1","jetty-10.0.0.beta2","jetty-10.0.0.beta3","jetty-10.0.1","jetty-10.0.10","jetty-10.0.11","jetty-10.0.12","jetty-10.0.13","jetty-10.0.14","jetty-10.0.15","jetty-10.0.16","jetty-10.0.17","jetty-10.0.18","jetty-10.0.19","jetty-10.0.2","jetty-10.0.20","jetty-10.0.21","jetty-10.0.22","jetty-10.0.23","jetty-10.0.24","jetty-10.0.25","jetty-10.0.26","jetty-10.0.3","jetty-10.0.4","jetty-10.0.5","jetty-10.0.6","jetty-10.0.7","jetty-10.0.8","jetty-10.0.9","jetty-11.0.0","jetty-11.0.0-alpha0","jetty-11.0.0.beta1","jetty-11.0.0.beta2","jetty-11.0.0.beta3","jetty-11.0.1","jetty-11.0.10","jetty-11.0.11","jetty-11.0.12","jetty-11.0.13","jetty-11.0.14","jetty-11.0.15","jetty-11.0.16","jetty-11.0.17","jetty-11.0.18","jetty-11.0.19","jetty-11.0.2","jetty-11.0.20","jetty-11.0.21","jetty-11.0.22","jetty-11.0.23","jetty-11.0.24","jetty-11.0.25","jetty-11.0.26","jetty-11.0.3","jetty-11.0.4","jetty-11.0.5","jetty-11.0.6","jetty-11.0.7","jetty-11.0.8","jetty-11.0.9","jetty-12.0.0","jetty-12.0.0.alpha0","jetty-12.0.0.alpha1","jetty-12.0.0.alpha2","jetty-12.0.0.alpha3","jetty-12.0.0.beta0","jetty-12.0.0.beta1","jetty-12.0.0.beta2","jetty-12.0.0.beta2x","jetty-12.0.0.beta3","jetty-12.0.0.beta3x","jetty-12.0.0.beta4","jetty-12.0.0x","jetty-12.0.1","jetty-12.0.10","jetty-12.0.11","jetty-12.0.12","jetty-12.0.13","jetty-12.0.14","jetty-12.0.15","jetty-12.0.16","jetty-12.0.17","jetty-12.0.18","jetty-12.0.19","jetty-12.0.2","jetty-12.0.20","jetty-12.0.21","jetty-12.0.22","jetty-12.0.23","jetty-12.0.24","jetty-12.0.25","jetty-12.0.26","jetty-12.0.27","jetty-12.0.28","jetty-12.0.29","jetty-12.0.3","jetty-12.0.30","jetty-12.0.31","jetty-12.0.32","jetty-12.0.34","jetty-12.0.4","jetty-12.0.5","jetty-12.0.6","jetty-12.0.7","jetty-12.0.8","jetty-12.0.9","jetty-12.1.0","jetty-12.1.0.alpha0","jetty-12.1.0.alpha1","jetty-12.1.0.alpha2","jetty-12.1.0.beta0","jetty-12.1.0.beta1","jetty-12.1.0.beta2","jetty-12.1.0.beta3","jetty-12.1.1","jetty-12.1.2","jetty-12.1.3","jetty-12.1.4","jetty-12.1.5","jetty-12.1.6","jetty-12.1.8","jetty-7-to-jetty-8-base-20090328-1","jetty-7-to-jetty-8-base-20110408","jetty-7-to-jetty-8-base-20110408-2","jetty-7-to-jetty-8-base-20110412","jetty-7-to-jetty-8-base-20110516","jetty-7-to-jetty-8-base-20110523","jetty-7-to-jetty-8-base-20110524","jetty-7-to-jetty-8-base-20110527","jetty-7.0.0.M0","jetty-7.0.0.M1","jetty-7.0.0.M2","jetty-7.0.0.M3","jetty-7.0.0.M4","jetty-7.0.0.RC0","jetty-7.0.0.RC1","jetty-7.0.0.RC2","jetty-7.0.0.RC3","jetty-7.0.0.RC4","jetty-7.0.0.RC5","jetty-7.0.0.RC6","jetty-7.0.0.v20091001","jetty-7.0.0.v20091005","jetty-7.0.1.v20091116","jetty-7.0.1.v20091117","jetty-7.0.1.v20091122","jetty-7.0.1.v20091123","jetty-7.0.1.v20091125","jetty-7.0.2.RC0","jetty-7.0.2.v20100331","jetty-7.1.0.RC0","jetty-7.1.0.RC1","jetty-7.1.0.v20100505","jetty-7.1.1.v20100517","jetty-7.1.2.v20100521","jetty-7.1.2.v20100522","jetty-7.1.2.v20100523","jetty-7.1.3.v20100526","jetty-7.1.4.v20090609","jetty-7.1.4.v20100609","jetty-7.1.4.v20100610","jetty-7.1.5.v20100705","jetty-7.1.6.v20100715","jetty-7.2.0.RC0","jetty-7.2.0.RC1","jetty-7.2.0.v20101020","jetty-7.2.1.v20101111","jetty-7.2.2.v20101201","jetty-7.2.2.v20101203","jetty-7.2.2.v20101205","jetty-7.3.0.20110202","jetty-7.3.0.v20110202","jetty-7.3.0.v20110203","jetty-7.3.0.v20112401","jetty-7.3.1.v20110304","jetty-7.3.1.v20110307","jetty-7.4.0.RC0","jetty-7.4.0.v20110414","jetty-7.4.1","jetty-7.4.1.v20110512","jetty-7.4.1.v20110513","jetty-7.4.2.v20110526","jetty-7.4.3.v20110630","jetty-7.4.3.v20110701","jetty-7.4.4.v20110707","jetty-7.4.5.v20110725","jetty-7.5.0.RC0","jetty-7.5.0.RC1","jetty-7.5.0.RC2","jetty-7.5.0.v20110901","jetty-7.5.1.v20110907","jetty-7.5.1.v20110908","jetty-7.5.2.v20111006","jetty-7.5.3.v20111011","jetty-7.5.4.v20111024","jetty-7.6.0.RC0","jetty-7.6.0.RC1","jetty-7.6.0.RC2","jetty-7.6.0.RC3","jetty-7.6.0.RC4","jetty-7.6.0.RC5","jetty-7.6.0.v20120125","jetty-7.6.0.v20120127","jetty-7.6.1.v20120215","jetty-7.6.10.v20130312","jetty-7.6.11.v20130520","jetty-7.6.11.v20130725","jetty-7.6.12.v20130726","jetty-7.6.13.v20130910","jetty-7.6.13.v20130916","jetty-7.6.14.v20131031","jetty-7.6.15.v20140411","jetty-7.6.16.v20140903","jetty-7.6.17.v20150415","jetty-7.6.18.v20150929","jetty-7.6.19.v20160209","jetty-7.6.2.v20120302","jetty-7.6.2.v20120308","jetty-7.6.20.v20160902","jetty-7.6.21.v20160908","jetty-7.6.3.v20120413","jetty-7.6.3.v20120416","jetty-7.6.4.v20120522","jetty-7.6.4.v20120524","jetty-7.6.5.v20120713","jetty-7.6.5.v20120716","jetty-7.6.6.v20120903","jetty-7.6.7.v20120910","jetty-7.6.8.v20121106","jetty-7.6.9.v20130131","jetty-8-historical","jetty-8.0.0.M0","jetty-8.0.0.M1","jetty-8.0.0.M2","jetty-8.0.0.M3","jetty-8.0.0.RC0","jetty-8.0.0.v20110901","jetty-8.0.1.v20110907","jetty-8.0.1.v20110908","jetty-8.0.2.v20111006","jetty-8.0.3.v20111011","jetty-8.0.4.v20111024","jetty-8.1.0.RC0","jetty-8.1.0.RC1","jetty-8.1.0.RC2","jetty-8.1.0.RC4","jetty-8.1.0.RC5","jetty-8.1.0.v20120125","jetty-8.1.0.v20120127","jetty-8.1.1.v20120215","jetty-8.1.10.v20130312","jetty-8.1.11.v20130520","jetty-8.1.12.v20130725","jetty-8.1.12.v20130726","jetty-8.1.13.v20130910","jetty-8.1.13.v20130916","jetty-8.1.14.v20131031","jetty-8.1.15.v20140411","jetty-8.1.16.v20140903","jetty-8.1.17.v20150415","jetty-8.1.18.v20150929","jetty-8.1.19.v20160209","jetty-8.1.2.v20120302","jetty-8.1.2.v20120308","jetty-8.1.20.v20160902","jetty-8.1.21.v20160908","jetty-8.1.22.v20160922","jetty-8.1.3.v20120413","jetty-8.1.3.v20120416","jetty-8.1.4.v20120522","jetty-8.1.4.v20120524","jetty-8.1.5.v20120713","jetty-8.1.5.v20120716","jetty-8.1.6.v20120903","jetty-8.1.7.v20120910","jetty-8.1.8.v20121106","jetty-8.1.9.v20130131","jetty-8.2.0.v20160908","jetty-9.0.0.M0","jetty-9.0.0.M1","jetty-9.0.0.M2","jetty-9.0.0.M3","jetty-9.0.0.M4","jetty-9.0.0.M5","jetty-9.0.0.RC0","jetty-9.0.0.RC1","jetty-9.0.0.RC2","jetty-9.0.0.RC3","jetty-9.0.0.v20130308","jetty-9.0.1.v20130408","jetty-9.0.2.v20130417","jetty-9.0.2.v20140415","jetty-9.0.3.v20130506","jetty-9.0.4.v20130621","jetty-9.0.4.v20130625","jetty-9.0.5.v20130813","jetty-9.0.5.v20130815","jetty-9.0.6.v20130919","jetty-9.0.6.v20130930","jetty-9.0.7.v20131031","jetty-9.0.7.v20131107","jetty-9.0.x","jetty-9.1.0.M0","jetty-9.1.0.RC0","jetty-9.1.0.RC1","jetty-9.1.0.RC2","jetty-9.1.0.v20131115","jetty-9.1.1.v20140108","jetty-9.1.2.v20140210","jetty-9.1.3.v20140225","jetty-9.1.4.v20140401","jetty-9.1.5.v20140505","jetty-9.1.6.v20151106","jetty-9.1.6.v20160112","jetty-9.2.0.M0","jetty-9.2.0.M1","jetty-9.2.0.RC0","jetty-9.2.0.v20140523","jetty-9.2.0.v20140526","jetty-9.2.1.v20140609","jetty-9.2.10.v20150310","jetty-9.2.11.M0","jetty-9.2.11.v20150528","jetty-9.2.11.v20150529","jetty-9.2.12.M0","jetty-9.2.12.v20150709","jetty-9.2.13.v20150730","jetty-9.2.14.v20151106","jetty-9.2.15.v20160210","jetty-9.2.16.v20160407","jetty-9.2.16.v20160414","jetty-9.2.17.v20160517","jetty-9.2.18.v20160721","jetty-9.2.19.v20160908","jetty-9.2.2.v20140723","jetty-9.2.20.v20161216","jetty-9.2.21.v20170120","jetty-9.2.22.v20170606","jetty-9.2.23.v20171218","jetty-9.2.24.v20180105","jetty-9.2.25.v20180606","jetty-9.2.26.v20180806","jetty-9.2.27.v20190403","jetty-9.2.28.v20190418","jetty-9.2.29.v20191105","jetty-9.2.3.v20140905","jetty-9.2.30.v20200428","jetty-9.2.4.v20141103","jetty-9.2.5.v20141112","jetty-9.2.6.v20141203","jetty-9.2.6.v20141205","jetty-9.2.7.v20150116","jetty-9.2.8.v20150217","jetty-9.2.9.v20150224","jetty-9.3.0.M0","jetty-9.3.0.M1","jetty-9.3.0.M2","jetty-9.3.0.RC0","jetty-9.3.0.RC1","jetty-9.3.0.v20150601","jetty-9.3.0.v20150608","jetty-9.3.0.v20150612","jetty-9.3.1.v20150714","jetty-9.3.10.M0","jetty-9.3.10.v20160621","jetty-9.3.11.M0","jetty-9.3.11.v20160721","jetty-9.3.12.v20160915","jetty-9.3.13.M0","jetty-9.3.13.v20161014","jetty-9.3.14.v20161028","jetty-9.3.15.v20161220","jetty-9.3.16.v20170119","jetty-9.3.16.v20170120","jetty-9.3.17.RC0","jetty-9.3.17.v20170317","jetty-9.3.18.v20170406","jetty-9.3.19.v20170502","jetty-9.3.2.v20150730","jetty-9.3.20.v20170531","jetty-9.3.21.M0","jetty-9.3.21.RC0","jetty-9.3.21.v20170918","jetty-9.3.22.v20171030","jetty-9.3.23.v20180228","jetty-9.3.24.v20180605","jetty-9.3.25.v20180904","jetty-9.3.26.v20190403","jetty-9.3.27.v20190418","jetty-9.3.28.v20191105","jetty-9.3.29.v20201019","jetty-9.3.3.v20150825","jetty-9.3.3.v20150827","jetty-9.3.30.v20211001","jetty-9.3.4.RC0","jetty-9.3.4.RC1","jetty-9.3.4.v20151005","jetty-9.3.4.v20151007","jetty-9.3.5.v20151012","jetty-9.3.6.v20151106","jetty-9.3.7.RC0","jetty-9.3.7.RC1","jetty-9.3.7.v20160115","jetty-9.3.8.RC0","jetty-9.3.8.v20160311","jetty-9.3.8.v20160314","jetty-9.3.9.M0","jetty-9.3.9.M1","jetty-9.3.9.v20160517","jetty-9.4.0.M0","jetty-9.4.0.M1","jetty-9.4.0.RC0","jetty-9.4.0.RC1","jetty-9.4.0.RC2","jetty-9.4.0.RC3","jetty-9.4.0.v20161207","jetty-9.4.0.v20161208","jetty-9.4.0.v20180619","jetty-9.4.1.v20170120","jetty-9.4.1.v20180619","jetty-9.4.10.RC0","jetty-9.4.10.RC1","jetty-9.4.10.v20180503","jetty-9.4.11.v20180605","jetty-9.4.12.RC0","jetty-9.4.12.RC1","jetty-9.4.12.RC2","jetty-9.4.12.v20180830","jetty-9.4.13.v20181111","jetty-9.4.14.v20181114","jetty-9.4.15.v20190215","jetty-9.4.16.v20190411","jetty-9.4.17.v20190418","jetty-9.4.18.v20190429","jetty-9.4.19.v20190610","jetty-9.4.2.v20170220","jetty-9.4.2.v20180619","jetty-9.4.20.v20190813","jetty-9.4.21.v20190926","jetty-9.4.22.v20191022","jetty-9.4.23.v20191118","jetty-9.4.24.v20191120","jetty-9.4.25.v20191220","jetty-9.4.26.v20200117","jetty-9.4.27.v20200227","jetty-9.4.28.v20200408","jetty-9.4.29.v20200521","jetty-9.4.3.v20170317","jetty-9.4.3.v20180619","jetty-9.4.30.v20200611","jetty-9.4.31.v20200723","jetty-9.4.32.v20200930","jetty-9.4.33.v20201020","jetty-9.4.34.v20201102","jetty-9.4.35.v20201120","jetty-9.4.36.v20210114","jetty-9.4.37.v20210219","jetty-9.4.38.v20210224","jetty-9.4.39.v20210325","jetty-9.4.4.v20170410","jetty-9.4.4.v20170414","jetty-9.4.4.v20180619","jetty-9.4.40.v20210413","jetty-9.4.41.v20210516","jetty-9.4.42.v20210604","jetty-9.4.43.v20210629","jetty-9.4.44.v20210927","jetty-9.4.45.v20220203","jetty-9.4.46.v20220331","jetty-9.4.47.v20220610","jetty-9.4.48.v20220622","jetty-9.4.49.v20220914","jetty-9.4.5.v20170502","jetty-9.4.5.v20180619","jetty-9.4.50.v20221107","jetty-9.4.50.v20221201","jetty-9.4.51.v20230217","jetty-9.4.52.v20230823","jetty-9.4.53.v20231009","jetty-9.4.54.v20240208","jetty-9.4.55.v20240627","jetty-9.4.56.v20240826","jetty-9.4.57.v20241219","jetty-9.4.58.v20250814","jetty-9.4.6.v20170531","jetty-9.4.6.v20180619","jetty-9.4.7.RC0","jetty-9.4.7.v20170914","jetty-9.4.7.v20180619","jetty-9.4.8.v20171121","jetty-9.4.8.v20180619","jetty-9.4.9.v20180320","npn-api-1.0.0.v20120402","npn-api-1.1.0.v20120525"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36479.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N"}]}