CVE-2020-27223 MEDIUM

CVE-2020-27223

Vendor The Eclipse Foundation
Product Eclipse Jetty
Weakness CWE-407
Published February 26, 2021
Last update August 20, 2025

CVSS base score

5.2/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Key dates

02Disclosure timeline

February 26, 2021 CVE published
August 20, 2025 Record updated