URI use within Jetty's HttpURI
class can parse invalid URIs such as http://localhost;/path
as having an authority with a host of localhost;
.
A URIs of the type http://localhost;/path
should be interpreted to be either invalid or as localhost;
to be the userinfo and no host.
However, HttpURI.host
returns localhost;
which is definitely wrong.
This can lead to errors with Jetty's HttpClient
, and Jetty's ProxyServlet
/ AsyncProxyServlet
/ AsyncMiddleManServlet
wrongly interpreting an authority with no host as one with a host.
Patched in PR #8146 for Jetty version 9.4.47. Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10
None.
If you have any questions or comments about this advisory: * Email us at security@webtide.com.
{ "nvd_published_at": "2022-07-07T21:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2022-07-07T20:55:34Z" }