URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.
A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host.
However, HttpURI.host returns localhost; which is definitely wrong.
This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.
Patched in PR #8146 for Jetty version 9.4.47.
Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10
None.
If you have any questions or comments about this advisory:
* Email us at [email protected].
| Score | Percentile |
|---|---|
| 1.19% | 78.52% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.7 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-cj7v-27pg-wf7q ↗ |
| CVE | CVE-2022-2047 ↗ |
| CWE id | Name |
|---|---|
| CWE-20 | Improper Input Validation |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | org.eclipse.jetty:jetty-http | < 9.4.47 | 9.4.47 | — |
| maven | org.eclipse.jetty:jetty-http | >= 10.0.0, < 10.0.10 | 10.0.10 | — |
| maven | org.eclipse.jetty:jetty-http | >= 11.0.0, < 11.0.10 | 11.0.10 | — |