CVE-2023-36479
Jetty vulnerable to errant command quoting in CGI ServletEclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
We have discovered 3,281 live websites that are affected by CVE-2023-36479.
Affected Software
| Product |  Jetty |
| Category | Web Servers |
| Vulnerable Domains | 3,281 live websites (100% of Jetty install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-149 Improper Neutralization of Quoting SyntaxDetails
- Published - Sep 15, 2023
- Updated - Jun 18, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2023-36479 United States | 1,426 websites |
 Netherlands | 955 websites |
 Germany | 176 websites |
 France | 145 websites |
 Canada | 62 websites |
 China | 60 websites |
 Australia | 42 websites |
 Italy | 42 websites |
 Singapore | 29 websites |
 GB | 26 websites |
Website Distribution by TLD
Number of websites using CVE-2023-36479| .com | 1,135 websites |
| .org | 225 websites |
| .net | 139 websites |
| .edu | 128 websites |
| .fr | 90 websites |
| .de | 77 websites |
| .ca | 31 websites |
| .nl | 23 websites |
| .it | 22 websites |
| .com.br | 20 websites |
Websites affected by CVE-2023-36479
Top websites that are affected by CVE-2023-36479. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.***********.net | United States | *,*** | |
| ******.rocks | Netherlands | **,*** | |
| *.******.com | United States | **,*** | |
| *********.******.com | United States | **,*** | |
| *********.se |  Sweden | **,*** | |
| **.****************.com | United States | **,*** | |
| **.******.net | United States | **,*** | |
| *****.****.edu | United States | **,*** | |
| *********.******.com | United States | **,*** | |
| ***.**********.edu | United States | **,*** |
FAQ
CVE-2023-36479 is Improper Neutralization of Quoting Syntax in Jetty
A total of 3,281 websites have been identified as vulnerable to CVE-2023-36479, based on global website indexing conducted by WebTechSurvey.
The Jetty is affected by the CVE-2023-36479 vulnerability.
Jetty versions up to and including 11.0.15 are vulnerable to CVE-2023-36479.
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
- https://github.com/eclipse/jetty.project/pull/9516
- https://github.com/eclipse/jetty.project/pull/9888
- https://github.com/eclipse/jetty.project/pull/9889
- https://www.debian.org/security/2023/dsa-5507
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html