CVE-2020-27223

MEDIUM

Eclipse Jetty 9.4.6-9.4.36, 10.0.0, 11.0.0 - Denial of Service via Multiple Accept Headers with Quality Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-27223. PoCs published by motikan2010, ttestoo.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2020-27223, a DoS vulnerability in Eclipse Jetty affecting versions prior to 9.4.37.v20210219. The PoC demonstrates the vulnerability by sending maliciously crafted Accept-Language headers to trigger excessive processing time.

Description

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Exploits (2)

nomisec WORKING POC 3 stars
by motikan2010 · poc
https://github.com/motikan2010/CVE-2020-27223

This repository contains a proof-of-concept for CVE-2020-27223, a DoS vulnerability in Eclipse Jetty affecting versions prior to 9.4.37.v20210219. The PoC demonstrates the vulnerability by sending maliciously crafted Accept-Language headers to trigger excessive processing time.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Eclipse Jetty (versions prior to 9.4.37.v20210219)
No auth needed
Prerequisites: Access to the target Jetty server · Ability to send HTTP requests with custom headers
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by ttestoo · poc
https://github.com/ttestoo/Jetty-CVE-2020-27223

This repository appears to be a stub or placeholder for a PoC targeting CVE-2020-27223 (Eclipse Jetty HTTP/2 request smuggling). It contains only a basic Spring Boot application with a single endpoint returning 'hello' and lacks any exploit logic or demonstration of the vulnerability.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Eclipse Jetty (HTTP/2 implementation)
No auth needed
Prerequisites: Eclipse Jetty with HTTP/2 enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (67)

Core 67
Core References
Vendor Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210401-0005/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4949

Scores

CVSS v3 5.2
EPSS 0.7795
EPSS Percentile 99.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-407 CWE-400
Status published
Products (21)
apache/nifi 1.13.0
apache/solr 8.8.1
apache/spark 3.1.1
debian/debian_linux 10.0
eclipse/jetty 9.4.6 20170531 (2 CPE variants)
eclipse/jetty 9.4.36 (2 CPE variants)
eclipse/jetty 10.0.0
eclipse/jetty 11.0.0
eclipse/jetty 9.4.7 - 9.4.36
netapp/e-series_santricity_os_controller 11.0.0 - 11.70.1
... and 11 more
Published Feb 26, 2021
Tracked Since Feb 18, 2026