VDB

CVE-2020-27218

CVE-2020-27218 PUBLISHED

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

EPSS 0.60% · 69.8th percentile

Risk Scores

EPSS Score
0.60%
69.8th percentile

Affected Products

VendorProductVersions
Bitnamispark3.0.3, 3.0.3, 2.4.8
Bitnamikafka2.7.0
Bitnamikafka2.7.0, 2.7.0, 2.7.0
Bitnamispark3.0.3, 2.4.8

Timeline

  • CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Jun 28, 2021 PoC Published
  • Oct 26, 2021 EPSS Score
  • Dec 9, 2021 EPSS Score
  • Dec 11, 2021 PoC Published
  • Dec 13, 2021 PoC Published
  • Dec 18, 2021 PoC Published
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score

References

…and 98 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›