CVE-2020-27223

unknown

Published 2021-03-10 · Modified 2026-03-13

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v2

—

VIR risk

—

Description

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-27223

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2020-27223.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	fixed	`9.4.38-1`
debian	bullseye	fixed	`9.4.38-1`
debian	forky	fixed	`9.4.38-1`
debian	sid	fixed	`9.4.38-1`
debian	trixie	fixed	`9.4.38-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.eclipse.jetty:jetty-server	`>=9.4.6,<9.4.37`	`9.4.37`
Maven	org.eclipse.jetty:jetty-server	`>=10.0.0,<10.0.1`	`10.0.1`
Maven	org.eclipse.jetty:jetty-server	`>=11.0.0,<11.0.1`	`11.0.1`

References

Verify integrity in audit chain (admin only). AS-IS.