CVE-2023-36479
Jetty vulnerable to errant command quoting in CGI ServletEclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
We have discovered 3,125 live websites that are affected by CVE-2023-36479.
Affected Software
| Product |  Jetty |
| Category | Web Servers |
| Vulnerable Domains | 3,125 live websites (58% of Jetty install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 106 versions ( 47% of all versions) |
Common Weakness Enumeration
CWE-149 Improper Neutralization of Quoting SyntaxDetails
- Published - Sep 15, 2023
- Updated - Jun 18, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2023-36479 United States | 1,336 websites |
 Netherlands | 957 websites |
 Germany | 173 websites |
 France | 130 websites |
 Canada | 60 websites |
 China | 57 websites |
 Italy | 35 websites |
 Australia | 34 websites |
 GB | 28 websites |
 Singapore | 25 websites |
Website Distribution by TLD
Number of websites using CVE-2023-36479| .com | 1,094 websites |
| .org | 178 websites |
| .net | 141 websites |
| .edu | 111 websites |
| .de | 77 websites |
| .fr | 76 websites |
| .ca | 30 websites |
| .com.au | 19 websites |
| .ru | 18 websites |
| .it | 17 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-36479
Top websites that are affected by CVE-2023-36479. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.***********.net | United States | *,*** | |
| ******.rocks | Netherlands | **,*** | |
| *.******.com | United States | **,*** | |
| *********.******.com | United States | **,*** | |
| *********.se |  Sweden | **,*** | |
| **.****************.com | United States | **,*** | |
| **.******.net | United States | **,*** | |
| *****.****.edu | United States | **,*** | |
| *********.******.com | United States | **,*** | |
| ***.**********.edu | United States | **,*** |
FAQ
CVE-2023-36479 is Improper Neutralization of Quoting Syntax in Jetty
A total of 3,125 websites have been identified as vulnerable to CVE-2023-36479, based on global website indexing conducted by WebTechSurvey.
The Jetty is affected by the CVE-2023-36479 vulnerability.
Jetty versions up to and including 11.0.15 are vulnerable to CVE-2023-36479.
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
- https://github.com/eclipse/jetty.project/pull/9516
- https://github.com/eclipse/jetty.project/pull/9888
- https://github.com/eclipse/jetty.project/pull/9889
- https://www.debian.org/security/2023/dsa-5507
- https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html