Open-source automation server software Jenkins announced that a critical vulnerability in the Jetty web server is now patched. The flaw could allow third parties to leak sensitive information and memory corruption. It is tracked as CVE-2019-17638 and has a CVSS rating of 9.4. According to the announcement, the vulnerability affects Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521 a Java HTTP server tool and web container. Jenkins urges users to update the Jenkins weekly version to 2.243 and Jenkins LTS 2.235.5 to avoid the vulnerability.
HTTP 431 error
The company also stated that Jetty throws and exception to produce an HTTP 431 error in case of too large response headers. In this case, ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. This double release causes, two different threads can acquire the same ByteBuffer. While thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. As a result, client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2.