Published: April 2024
What is CVE-2023-36479?
CVE-2023-36479 is a serious security flaw discovered in Eclipse Jetty, a widely used open-source Java web server and servlet container. Specifically, the bug affects Jetty's CgiServlet, a component that handles running system commands or scripts via HTTP requests. Attackers can exploit this bug to execute unexpected system commands—this can be a severe risk, especially for servers exposed to the internet.
Jetty's maintainers have fixed this bug, but if you haven't updated your server, you could be open to attacks. This post will make the vulnerability easy to understand and show you how it can be exploited, along with guidance, code examples, and references.
A Quick Look at Jetty's CgiServlet
CgiServlet is designed to run executable scripts or programs when someone makes a request to a specified URL. Commonly, this is used to run legacy CGI (Common Gateway Interface) scripts.
Simplified Use-Case Example
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.eclipse.jetty.servlets.CGI</servlet-class>
<init-param>
<param-name>commandPrefix</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
How Does the Vulnerability Work?
Normally, the servlet escapes executable names by wrapping them in quotation marks. But if a request contains an executable with a quotation mark and a space in the name (for example, "executable" script), the command line is constructed with multiple tokens, not as a single file path.
So, instead of running one safe, specific command, the system actually parses the input as multiple pieces—giving the attacker a way to smuggle in extra commands.
Key Points
- User input is not validated/sanitized enough.
Embedding " (quote) and a space in the executable's name breaks the escaping logic.
- Jetty's code uses Runtime.exec, which passes everything to the operating system for direct execution.
Suppose an attacker sends a request for
/cgi-bin/"echo" Hello
Instead of executing one safe command, the server builds a command string like
"echo" Hello
But if the attacker is clever and sends this as the binary name
"badprogram" && whoami
Jetty will see
"/usr/bin/"badprogram" && whoami"
The quotes don't protect the command anymore! In systems that process arguments this way, unintended commands (like whoami or even worse) can get executed.
Here's a pseudo-Java illustration of the vulnerable logic
String commandName = getRequestedCGIExecutableName(request);
if (commandName.contains(" ")) {
commandName = "\"" + commandName + "\""; // Tries to escape
}
String cmd = commandPrefix + commandName;
Runtime.getRuntime().exec(cmd); // Dangerous: unsanitized user input
This escaping doesn't work if the commandName itself includes a " and a space—because it breaks the intended single-string barrier.
Any 12.x before 12..-beta2
And, you use the CgiServlet, especially with user-controllable command structure, you are vulnerable!
How Was It Fixed?
The Jetty team updated the command-building logic to robustly validate and sanitize both arguments and executable paths, preventing attackers from slipping in malicious input.
Patch Example (Conceptual)
// Newer code strictly checks for bad characters
if (!VALID_NAME.matcher(commandName).matches()) {
throw new ServletException("Invalid program name");
}
// Also, fully use ProcessBuilder to avoid command-line parsing issues
ProcessBuilder pb = new ProcessBuilder(commandName, args...);
References
- Official Jetty security advisory
- NVD Entry: CVE-2023-36479
- Jetty GitHub Project
Simple Takeaway
CVE-2023-36479 is a "hidden in plain sight" vulnerability that can turn a badly configured Jetty CGI handler into a launchpad for system compromise. Always keep your Jetty up to date, don’t trust raw user input, and review how you use CGI features.
Timeline
Published on: 09/15/2023 19:15:00 UTC
Last modified on: 10/16/2023 19:20:00 UTC