Jetty invalid URI parsing may produce invalid HttpURI.authority
GHSA-cj7v-27pg-wf7q · CVE-2022-2047
Published · Modified
Description
Description
URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.
A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host.
However, HttpURI.host returns localhost; which is definitely wrong.
Impact
This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.
Patches
Patched in PR #8146 for Jetty version 9.4.47.
Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10
Workarounds
None.
For more information
If you have any questions or comments about this advisory:
- Email us at security@webtide.com.
References
- WEB https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-2047
- PACKAGE https://github.com/eclipse/jetty.project
- WEB https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html
- WEB https://security.netapp.com/advisory/ntap-20220901-0006
- WEB https://www.debian.org/security/2022/dsa-5198
Ready to move
Start Securing
Free, no credit card | First findings in minutes