CVE-2020-27218: Vulnerability Analysis & Exploit Details

Status: Analyzed - Last modified: 16-02-2024 Published: 28-11-2020

CVE-2020-27218
Vulnerability Scoring

4.8
/10

Attack Complexity Details

  • Attack Complexity: HIGH IMPACT
  • Attack Vector: NETWORK
  • Privileges Required: None
  • Scope: UNCHANGED
  • User Interaction: NONE

CIA Impact Definition

  • Confidentiality:
  • Integrity: Low Impact
  • Availability: Low Impact

CVE-2020-27218 Vulnerability Summary

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Access Complexity Graph for CVE-2020-27218

Impact Analysis for CVE-2020-27218

CVE-2020-27218: Detailed Information and External References

EPSS

0.02093

EPSS %

0.89016

References

0.02093

CWE

CWE-226

CAPEC

0.02093

  • Retrieve Embedded Sensitive Data: An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

Vulnerable Configurations

  • cpe:2.3:a:eclipse:jetty:9.4.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:20161207:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:20161207:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:20161208:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:20161208:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_1:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_1:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.1:20170120:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.1:20170120:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.1:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.1:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.2:20170220:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.2:20170220:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.2:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.2:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.3:20170317:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.3:20170317:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.3:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.3:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.4:20170410:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.4:20170410:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.4:20170414:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.4:20170414:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.4:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.4:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.5:20170502:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.5:20170502:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.7:rc0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.7:rc0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.7:20170914:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.7:20170914:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.7:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.7:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.8:20171121:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.8:20171121:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.9:20180320:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.9:20180320:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.10:rc0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.10:rc0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.10:rc1:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.10:rc1:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.10:20180503:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.10:20180503:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.12:rc0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.12:rc0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.12:rc1:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.12:rc1:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.12:rc2:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.12:rc2:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.13:20181111:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.13:20181111:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.14:20181114:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.14:20181114:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.17:20190418:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.17:20190418:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.19:20190610:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.19:20190610:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.20:20190813:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.20:20190813:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.21:20190926:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.21:20190926:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.22:20191022:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.22:20191022:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.23:20191118:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.23:20191118:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.24:20191120:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.24:20191120:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.25:20191220:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.25:20191220:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.26:20200117:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.26:20200117:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.28:20200408:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.28:20200408:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.29:20200521:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.29:20200521:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.30:20200611:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.30:20200611:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.31:20200723:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.31:20200723:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.32:20200930:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.32:20200930:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.33:*:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.33:*:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.33:20201020:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.33:20201020:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:9.4.34:*:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:9.4.34:*:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:10.0.0:alpha0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:10.0.0:alpha0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:10.0.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:10.0.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:10.0.0:beta0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:10.0.0:beta0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:10.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:10.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:11.0.0:alpha0:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:11.0.0:alpha0:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:11.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:11.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_system_manager:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_system_manager:3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_system_manager:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_system_manager:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_system_manager:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:oncommand_system_manager:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:oncommand_system_manager:3.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:blockchain_platform:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:blockchain_platform:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_session_route_manager:8.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_session_route_manager:8.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:-:*:*:*:standalone:*:*:*
    cpe:2.3:a:oracle:rest_data_services:-:*:*:*:standalone:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
    cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
    cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
    cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
    cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
    cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • cpe:2.3:a:oracle:rest_data_services:20.2.1:*:*:*:standalone:*:*:*
    cpe:2.3:a:oracle:rest_data_services:20.2.1:*:*:*:standalone:*:*:*
  • cpe:2.3:a:oracle:retail_eftlink:20.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_eftlink:20.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_core_-_automation:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:siebel_core_-_automation:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:siebel_core_-_automation:21.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:siebel_core_-_automation:21.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:kafka:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:kafka:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:spark:2.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:spark:2.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:spark:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:spark:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

CVSS3 Source

nvd@nist.gov

CVSS3 Type

Primary

CVSS3 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Protect Your Infrastructure: Combat Critical CVE Threats

Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals safeguarding today's infrastructures.

Recently Published CVEs