| Description: | In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in
case of too large response headers, Jetty throws an exception to
produce an HTTP 431 error. When this happens, the ByteBuffer
containing the HTTP response headers is released back to the
ByteBufferPool twice. Because of this double release, two threads can
acquire the same ByteBuffer from the pool and while thread1 is about
to use the ByteBuffer to write response1 data, thread2 fills the
ByteBuffer with other data. Thread1 then proceeds to write the buffer
that now contains different data. This results in client1, which
issued request1 seeing data from another request or response which
could contain sensitive data belonging to client2 (HTTP session ids,
authentication credentials, etc.). If the Jetty version cannot be
upgraded, the vulnerability can be significantly reduced by
configuring a responseHeaderSize significantly larger than the
requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).
|
