Cookie parsing of quoted values can exfiltrate values from other cookies in Eclipse Jetty

CVE-2023-26049 is a vulnerability in Eclipse Jetty's cookie parsing mechanism. The core issue is that when a cookie VALUE starts with a double quote ("), Jetty's parser continues reading until a closing quote is found, even across semicolons that normally separate cookie attributes or individual cookies [3]. This deviates from the cookie parsing rules defined in RFC 6265, which treats semicolons as delimiters between separate cookies or cookie attributes [1]. Consequently, a malformed cookie header like DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" is parsed as a single cookie named DISPLAY_LANGUAGE with the value b; JSESSIONID=1337; c=d, instead of three distinct cookies [3]. This nonstandard behavior is the root cause of the vulnerability.

To exploit this, an attacker with the ability to inject arbitrary cookie values into a user's browser (e.g., via a cross-site scripting or cookie injection attack) can craft a cookie that smuggles sensitive cookies, such as a session identifier, inside the value of another cookie. For instance, if a JSESSIONID cookie is set with the HttpOnly flag, it normally cannot be accessed by client-side scripts. However, by creating a DISPLAY_LANGUAGE cookie with a value that includes the victim's JSESSIONID (e.g., through a known or predicted string), the attacker can cause the server to log or reflect the combined value [3]. The attack requires no authentication on the part of the attacker beyond the ability to set a cookie; the server automatically processes the smuggled data as part of the cookie parsing.

The impact is significant: an attacker can bypass security policies enforced by intermediary devices (such as web application firewalls or proxies) that rely on cookie semantics, because the smuggled cookie is hidden inside another cookie's value. Additionally, if the server outputs the smuggled DISPLAY_LANGUAGE value (e.g., in an error message or reflected response), the attacker can exfiltrate sensitive cookies like session IDs, potentially leading to session hijacking [3]. This undermines the protection offered by the HttpOnly flag, as the attacker effectively uses server-side processing to extract the cookie data.

Mitigation

Users should upgrade to Jetty versions 9.4.51, 10.0.14, 11.0.14, or 12.0.0.beta0, which address the issue by implementing RFC-compliant cookie parsing [3][4]. No workarounds are available [3]. The vulnerability received a CVSS score (not specified in the provided data), and given its potential for session manipulation and bypass of security controls, it is recommended to apply the patch promptly.