CVE-2023-36479 Overview
Eclipse Jetty, the widely-used Java-based HTTP server and servlet container, contains a command injection vulnerability in its CgiServlet component. Users of the org.eclipse.jetty.servlets.CGI Servlet with a very specific command structure may have the wrong command executed. When a user sends a request for a binary with a space in its name, the servlet attempts to escape the command by wrapping it in quotation marks. However, if the original binary name contains a quotation mark followed by a space, the resulting command line passed to Runtime.exec will contain multiple tokens instead of one, potentially allowing unintended command execution.
Critical Impact
Attackers with low-level privileges can potentially manipulate command execution in applications using Jetty's CgiServlet, though the attack requires specific conditions and high complexity to exploit successfully.
Affected Products
- Eclipse Jetty versions prior to 9.4.52
- Eclipse Jetty versions 10.x prior to 10.0.16
- Eclipse Jetty versions 11.x prior to 11.0.16
- Eclipse Jetty 12.0.0-alpha1 through 12.0.0-beta1
- Debian Linux 10.0, 11.0, and 12.0
Discovery Timeline
- 2023-09-15 - CVE-2023-36479 published to NVD
- 2025-05-27 - Last updated in NVD database
Technical Details for CVE-2023-36479
Vulnerability Analysis
This vulnerability exists in Eclipse Jetty's CgiServlet component, which is responsible for executing CGI (Common Gateway Interface) scripts. The root issue lies in improper handling of special characters when constructing command lines for execution. When a CGI binary name contains a space, the servlet wraps the entire command in quotation marks to preserve the path as a single argument. However, this escaping mechanism fails to account for embedded quotation marks within the binary name itself.
The flaw is categorized under CWE-149 (Improper Neutralization of Quoting Syntax), indicating that the servlet does not properly neutralize or escape quotation characters before they are used in a command execution context. This improper input validation allows specially crafted requests to break out of the quoted context and inject additional command arguments.
Root Cause
The vulnerability stems from insufficient input validation in the CgiServlet's command-line construction logic. When the servlet receives a request for a CGI binary with spaces in its path, it wraps the command in quotation marks for proper shell interpretation. The implementation fails to sanitize or escape quotation mark characters within the user-supplied binary name. This allows an attacker to inject a quotation mark followed by a space, effectively closing the quoted string early and introducing additional command tokens.
Attack Vector
The attack requires network access to a Jetty server running the CgiServlet with CGI scripts enabled. An authenticated attacker with low privileges must craft a malicious request targeting a CGI endpoint. The request must specify a binary name containing a quotation mark followed by a space character. This crafted input causes the command parser to interpret the subsequent characters as separate command arguments rather than part of the original filename.
When the servlet processes this request, the resulting command passed to Runtime.exec contains unexpected tokens. While the attack complexity is high due to the specific conditions required, successful exploitation could allow an attacker to influence which commands are executed or modify command arguments.
The vulnerability mechanism works as follows: when the CgiServlet receives a request for a CGI binary with a space in its name, it constructs a command string by wrapping the path in quotes. If an attacker supplies a path like binary" -malicious, the servlet may construct a command that includes unintended arguments. The command prefix feature compounds this issue, as the manipulated tokens can alter how the prefix combines with the binary path. For detailed technical information, see the GitHub Security Advisory GHSA-3gh6-v5v9-6v9j.
Detection Methods for CVE-2023-36479
Indicators of Compromise
- HTTP requests to CGI endpoints containing quotation marks followed by spaces in the path or filename parameters
- Unexpected or anomalous CGI script executions in Jetty server logs
- Command execution errors or unusual process spawning patterns related to Jetty servlet containers
- Web access logs showing requests with encoded quotation marks (%22) targeting CGI scripts
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing quotation marks in CGI path parameters
- Monitor Jetty access logs for requests targeting CgiServlet endpoints with suspicious character patterns
- Enable detailed logging for servlet container command executions and alert on unexpected command structures
- Deploy SentinelOne's application control policies to monitor and alert on unusual process execution patterns from Java applications
Monitoring Recommendations
- Configure log aggregation to capture and analyze all CgiServlet-related requests across Jetty instances
- Establish baseline patterns for legitimate CGI script usage and alert on deviations
- Implement runtime application self-protection (RASP) solutions to detect command injection attempts at the application layer
How to Mitigate CVE-2023-36479
Immediate Actions Required
- Upgrade Eclipse Jetty to patched versions: 9.4.52, 10.0.16, 11.0.16, or 12.0.0-beta2 or later
- Review and audit all applications using CgiServlet to identify potentially affected deployments
- Consider disabling CgiServlet functionality if CGI script execution is not required for application operations
- Apply Debian security updates via DSA-5507 for affected Debian systems
Patch Information
Eclipse has released patches addressing this vulnerability across multiple version branches. The fixes are documented in GitHub Pull Request #9516, Pull Request #9888, and Pull Request #9889. The patches implement proper sanitization of quotation characters in CGI binary names before command construction.
For Debian-based systems, security updates are available through the standard package management system. Refer to Debian LTS Announcement for details on affected packages and update instructions.
Workarounds
- Disable CgiServlet if CGI functionality is not required by removing or commenting out the servlet mapping in web.xml
- Implement input validation at the reverse proxy or load balancer level to reject requests with quotation marks in CGI paths
- Deploy a web application firewall with rules specifically targeting command injection patterns in CGI requests
# Example: Disable CgiServlet in Jetty web.xml configuration
# Comment out or remove the following servlet mapping:
# <servlet>
# <servlet-name>CGI</servlet-name>
# <servlet-class>org.eclipse.jetty.servlets.CGI</servlet-class>
# </servlet>
# <servlet-mapping>
# <servlet-name>CGI</servlet-name>
# <url-pattern>/cgi-bin/*</url-pattern>
# </servlet-mapping>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
