In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CVE-2020-27223
This medium-severity CVE scores 5.2 under NVD CVSS v3. EPSS exploit probability: 27.9%, top 3% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High exploitation likelihood — EPSS 78%
A fix is available — apply it.
- CVSS v3
- 5.2
- EG Score
- 5.2(medium)
- EPSS
- 99.5%
- KEV
- Not listed
Published
February 26, 2021
Last Modified
August 20, 2025
References (133)
- emo@eclipsehttps://bugs.eclipse.org/bugs/show_bug.cgi?id=571128
- emo@eclipsehttps://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
- emo@eclipsehttps://github.com/jetty/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131
- emo@eclipsehttps://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78%40%3Cissues.solr.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320%40%3Cusers.solr.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567%40%3Cissues.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428%40%3Ccommits.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760%40%3Cnotifications.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc%40%3Cgitbox.activemq.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463%40%3Cissues.spark.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3%40%3Creviews.spark.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b%40%3Cjira.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f%40%3Cissues.nifi.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01%40%3Cnotifications.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283%40%3Cissues.spark.apache.org%3E
Vendor Advisories for CVE-2020-27223(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(7)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | jetty | 2022-09-09 | redhat |
| redhat | patch | 2021-11-23 | redhat |
| redhat | patch | 2021-09-30 | redhat |
| redhat | rhmtc/openshift-velero-plugin-rhel8:v1.4.6-4 | 2021-07-21 | redhat |
| redhat | jenkins-0:2.277.3.1623846768-1.el7 | 2021-07-02 | redhat |
| redhat | jenkins-0:2.289.1.1624365627-1.el7 | 2021-06-30 | redhat |
| redhat | jenkins-0:2.277.3.1623853726-1.el8 | 2021-06-29 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.eclipse.jetty:jetty-server | 11.0.0 | 11.0.1 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(8)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHBA-2021:2854MODERATE2021-02-26
RHBA-2021:2854 — Moderate
- Red HatRHSA-2021:2431MODERATE2021-02-26
RHSA-2021:2431 — Moderate
- Red HatRHSA-2021:2499MODERATE2021-02-26
RHSA-2021:2499 — Moderate
- Red HatRHSA-2021:2517MODERATE2021-02-26
RHSA-2021:2517 — Moderate
- Red HatRHSA-2021:2689MODERATE2021-02-26
RHSA-2021:2689 — Moderate
- Red HatRHSA-2021:3700MODERATE2021-02-26
RHSA-2021:3700 — Moderate
- Red HatRHSA-2021:4767MODERATE2021-02-26
RHSA-2021:4767 — Moderate
- Red HatRHSA-2022:6407MODERATE2021-02-26
RHSA-2022:6407 — Moderate
Data Freshness Timeline
(refreshed 1× in last 7d / 21× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 08:18 UTCOSV refresh
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-17 17:50 UTCEPSS rescore
- 2026-06-16 17:50 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 13:13 UTCOSV refresh
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
Show 24 moreShow fewer
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 20:19 UTCEG score recompute
- 2026-05-26 20:19 UTCVendor advisory
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
Publicly available exploits
(1 reference)Working exploit code is in the public domain (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCmotikan2010/CVE-2020-27223First seen Mar 19, 2021
CVE-2020-27223 Vulnerability App & PoC
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-400
Frequently asked(5)
What is CVE-2020-27223?
When was CVE-2020-27223 disclosed?
Is CVE-2020-27223 actively exploited?
What is the CVSS score of CVE-2020-27223?
How do I remediate CVE-2020-27223?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2020-27223
Is Your Infrastructure Affected by CVE-2020-27223?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.