How severe is CVE-2023-41900?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.3 out of 10.

What type of vulnerability is CVE-2023-41900?

This is classified as CWE-1390, which is a common weakness in software security.

CVE-2023-41900 - MEDIUM Severity | CVSS 4.3

Vulnerability Description

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

Related Vulnerabilities

CVE-2025-0605

MEDIUM

CVSS:4.3(Medium)

An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass tw...

CWE-13902025

CVE-2024-5891

MEDIUM

CVSS:4.2(Medium)

A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the ...

CWE-13902024

CVE-2023-41862

MEDIUM

CVSS:5.3(Medium)

Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0.

CWE-13902023

CVE-2024-47127

MEDIUM

CVSS:3.1(Low)

In the goTenna Pro App there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing goTenna mesh networks. This vul...

CWE-13902024

CVE-2024-45551

MEDIUM

CVSS:6.2(Medium)

Cryptographic issue occurs during PIN/password verification using Gatekeeper, where RPMB writes can be dropped on verification failure, potentially leading to a user throttling bypass.

CWE-13902024

CVE-2022-43400

CRITICAL

CVSS:9.8(Critical)

A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 (All versions < V22.2a (80)). The mobile server component of affected applications improperly handles the log in for Act...

CWE-13902022