Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jajd2LTI3cGctd2Y3cc4AAtJM

Jetty invalid URI parsing may produce invalid HttpURI.authority

Description

URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.

A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host.
However, HttpURI.host returns localhost; which is definitely wrong.

Impact

This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.

Patches

Patched in PR #8146 for Jetty version 9.4.47.
Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10

Workarounds

None.

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected].

Permalink: https://github.com/advisories/GHSA-cj7v-27pg-wf7q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jajd2LTI3cGctd2Y3cc4AAtJM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago

CVSS Score: 2.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-cj7v-27pg-wf7q, CVE-2022-2047
References:

• https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
• https://nvd.nist.gov/vuln/detail/CVE-2022-2047
• https://www.debian.org/security/2022/dsa-5198
• https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html
• https://security.netapp.com/advisory/ntap-20220901-0006/
• https://github.com/advisories/GHSA-cj7v-27pg-wf7q

Repository: https://github.com/eclipse/jetty.project
Blast Radius: 10.5

Affected Packages