CVE-2023-41900
Jetty's OpenId Revoked authentication allows one request
In short
Jetty's OpenID authentication has a timing flaw where a user whose access was just revoked can still complete one more request as if they were authenticated before being logged out. This matters because an attacker with a revoked session could perform one unauthorized action.
Technical detail
The OpenIdAuthenticator in Jetty (versions 9.4.21–9.4.51, 10.0.15, 11.0.15) fails to immediately enforce LoginService revocation decisions. When a nested LoginService rejects a previously authenticated user, the current request is processed as authenticated before the session state is cleared, allowing one request to bypass the revocation check. Subsequent requests are properly denied.
Summary generated and translated by AI from the official description.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Affected products
eclipse · jetty.projectWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →