Homepage

Improper Neutralization The advisory has been revoked - it doesn't affect any version of package zookeeper  (opens in a new tab)

Threat Intelligence

EPSS
1.17% (78th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-ZOOKEEPER-5915786
  • published22 Sept 2023
  • disclosed15 Sept 2023
Report a new vulnerability Found a mistake?

Introduced: 15 Sep 2023

CVE-2023-36479  (opens in a new tab)
CWE-149  (opens in a new tab)

Amendment

The Wolfi security team deemed this advisory irrelevant for Wolfi:latest.

NVD Description

Note: Versions mentioned in the description apply only to the upstream zookeeper package and not the zookeeper package as distributed by Wolfi.

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.