GHSA-cj7v-27pg-wf7q

Suggest an improvement
Source
https://github.com/advisories/GHSA-cj7v-27pg-wf7q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cj7v-27pg-wf7q
Aliases
Published
2022-07-07T20:55:34Z
Modified
2024-02-15T05:29:41.139804Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Jetty invalid URI parsing may produce invalid HttpURI.authority
Details

Description

URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.

A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host. However, HttpURI.host returns localhost; which is definitely wrong.

Impact

This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.

Patches

Patched in PR #8146 for Jetty version 9.4.47. Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10

Workarounds

None.

For more information

If you have any questions or comments about this advisory: * Email us at security@webtide.com.

References

Affected packages

Maven / org.eclipse.jetty:jetty-http

Package

Name
org.eclipse.jetty:jetty-http
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.47

Affected versions

7.*

7.0.0.M0
7.0.0.M1
7.0.0.M2
7.0.0.M3
7.0.0.M4
7.0.0.RC0
7.0.0.RC1
7.0.0.RC2
7.0.0.RC3
7.0.0.RC4
7.0.0.RC5
7.0.0.RC6
7.0.0.v20091005
7.0.1.v20091125
7.0.2.RC0
7.0.2.v20100331
7.1.0.RC0
7.1.0.RC1
7.1.0.v20100505
7.1.1.v20100517
7.1.2.v20100523
7.1.3.v20100526
7.1.4.v20100610
7.1.5.v20100705
7.1.6.v20100715
7.2.0.RC0
7.2.0.v20101020
7.2.1.v20101111
7.2.2.v20101205
7.3.0.v20110203
7.3.1.v20110307
7.4.0.RC0
7.4.0.v20110414
7.4.1.v20110513
7.4.2.v20110526
7.4.3.v20110701
7.4.4.v20110707
7.4.5.v20110725
7.5.0.RC0
7.5.0.RC1
7.5.0.RC2
7.5.0.v20110901
7.5.1.v20110908
7.5.2.v20111006
7.5.3.v20111011
7.5.4.v20111024
7.6.0.RC0
7.6.0.RC1
7.6.0.RC2
7.6.0.RC3
7.6.0.RC4
7.6.0.RC5
7.6.0.v20120127
7.6.1.v20120215
7.6.2.v20120308
7.6.3.v20120416
7.6.4.v20120524
7.6.5.v20120716
7.6.6.v20120903
7.6.7.v20120910
7.6.8.v20121106
7.6.9.v20130131
7.6.10.v20130312
7.6.11.v20130520
7.6.12.v20130726
7.6.13.v20130916
7.6.14.v20131031
7.6.15.v20140411
7.6.16.v20140903
7.6.17.v20150415
7.6.18.v20150929
7.6.19.v20160209
7.6.20.v20160902
7.6.21.v20160908

8.*

8.0.0.M0
8.0.0.M1
8.0.0.M2
8.0.0.M3
8.0.0.RC0
8.0.0.v20110901
8.0.1.v20110908
8.0.2.v20111006
8.0.3.v20111011
8.0.4.v20111024
8.1.0.RC0
8.1.0.RC1
8.1.0.RC2
8.1.0.RC4
8.1.0.RC5
8.1.0.v20120127
8.1.1.v20120215
8.1.2.v20120308
8.1.3.v20120416
8.1.4.v20120524
8.1.5.v20120716
8.1.6.v20120903
8.1.7.v20120910
8.1.8.v20121106
8.1.9.v20130131
8.1.10.v20130312
8.1.11.v20130520
8.1.12.v20130726
8.1.13.v20130916
8.1.14.v20131031
8.1.15.v20140411
8.1.16.v20140903
8.1.17.v20150415
8.1.18.v20150929
8.1.19.v20160209
8.1.20.v20160902
8.1.21.v20160908
8.1.22.v20160922
8.2.0.v20160908

9.*

9.0.0.M0
9.0.0.M1
9.0.0.M2
9.0.0.M3
9.0.0.M4
9.0.0.M5
9.0.0.RC0
9.0.0.RC1
9.0.0.RC2
9.0.0.v20130308
9.0.1.v20130408
9.0.2.v20130417
9.0.3.v20130506
9.0.4.v20130625
9.0.5.v20130815
9.0.6.v20130930
9.0.7.v20131107
9.1.0.M0
9.1.0.RC0
9.1.0.RC1
9.1.0.RC2
9.1.0.v20131115
9.1.1.v20140108
9.1.2.v20140210
9.1.3.v20140225
9.1.4.v20140401
9.1.5.v20140505
9.1.6.v20160112
9.2.0.M0
9.2.0.M1
9.2.0.RC0
9.2.0.v20140526
9.2.1.v20140609
9.2.2.v20140723
9.2.3.v20140905
9.2.4.v20141103
9.2.5.v20141112
9.2.6.v20141205
9.2.7.v20150116
9.2.8.v20150217
9.2.9.v20150224
9.2.10.v20150310
9.2.11.M0
9.2.11.v20150529
9.2.12.M0
9.2.12.v20150709
9.2.13.v20150730
9.2.14.v20151106
9.2.15.v20160210
9.2.16.v20160414
9.2.17.v20160517
9.2.18.v20160721
9.2.19.v20160908
9.2.20.v20161216
9.2.21.v20170120
9.2.22.v20170606
9.2.23.v20171218
9.2.24.v20180105
9.2.25.v20180606
9.2.26.v20180806
9.2.27.v20190403
9.2.28.v20190418
9.2.29.v20191105
9.2.30.v20200428
9.3.0.M0
9.3.0.M1
9.3.0.M2
9.3.0.RC0
9.3.0.RC1
9.3.0.v20150612
9.3.1.v20150714
9.3.2.v20150730
9.3.3.v20150827
9.3.4.RC0
9.3.4.RC1
9.3.4.v20151007
9.3.5.v20151012
9.3.6.v20151106
9.3.7.RC0
9.3.7.RC1
9.3.7.v20160115
9.3.8.RC0
9.3.8.v20160314
9.3.9.M0
9.3.9.M1
9.3.9.v20160517
9.3.10.M0
9.3.10.v20160621
9.3.11.M0
9.3.11.v20160721
9.3.12.v20160915
9.3.13.M0
9.3.13.v20161014
9.3.14.v20161028
9.3.15.v20161220
9.3.16.v20170120
9.3.17.RC0
9.3.17.v20170317
9.3.18.v20170406
9.3.19.v20170502
9.3.20.v20170531
9.3.21.M0
9.3.21.RC0
9.3.21.v20170918
9.3.22.v20171030
9.3.23.v20180228
9.3.24.v20180605
9.3.25.v20180904
9.3.26.v20190403
9.3.27.v20190418
9.3.28.v20191105
9.3.29.v20201019
9.3.30.v20211001
9.4.0.M0
9.4.0.M1
9.4.0.RC0
9.4.0.RC1
9.4.0.RC2
9.4.0.RC3
9.4.0.v20161208
9.4.0.v20180619
9.4.1.v20170120
9.4.1.v20180619
9.4.2.v20170220
9.4.2.v20180619
9.4.3.v20170317
9.4.3.v20180619
9.4.4.v20170414
9.4.4.v20180619
9.4.5.v20170502
9.4.5.v20180619
9.4.6.v20170531
9.4.6.v20180619
9.4.7.RC0
9.4.7.v20170914
9.4.7.v20180619
9.4.8.v20171121
9.4.8.v20180619
9.4.9.v20180320
9.4.10.RC0
9.4.10.RC1
9.4.10.v20180503
9.4.11.v20180605
9.4.12.RC0
9.4.12.RC1
9.4.12.RC2
9.4.12.v20180830
9.4.13.v20181111
9.4.14.v20181114
9.4.15.v20190215
9.4.16.v20190411
9.4.17.v20190418
9.4.18.v20190429
9.4.19.v20190610
9.4.20.v20190813
9.4.21.v20190926
9.4.22.v20191022
9.4.23.v20191118
9.4.24.v20191120
9.4.25.v20191220
9.4.26.v20200117
9.4.27.v20200227
9.4.28.v20200408
9.4.29.v20200521
9.4.30.v20200611
9.4.31.v20200723
9.4.32.v20200930
9.4.33.v20201020
9.4.34.v20201102
9.4.35.v20201120
9.4.36.v20210114
9.4.37.v20210219
9.4.38.v20210224
9.4.39.v20210325
9.4.40.v20210413
9.4.41.v20210516
9.4.42.v20210604
9.4.43.v20210629
9.4.44.v20210927
9.4.45.v20220203
9.4.46.v20220331

Maven / org.eclipse.jetty:jetty-http

Package

Name
org.eclipse.jetty:jetty-http
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.10

Affected versions

10.*

10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9

Maven / org.eclipse.jetty:jetty-http

Package

Name
org.eclipse.jetty:jetty-http
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.10

Affected versions

11.*

11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.0.9