Lucene search

K
osvGoogleOSV:GHSA-CJ7V-27PG-WF7Q
HistoryJul 07, 2022 - 8:55 p.m.

Jetty invalid URI parsing may produce invalid HttpURI.authority

2022-07-0720:55:34
Google
osv.dev
38

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

35.1%

Description

URI use within Jetty’s HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.

A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host.
However, HttpURI.host returns localhost; which is definitely wrong.

Impact

This can lead to errors with Jetty’s HttpClient, and Jetty’s ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.

Patches

Patched in PR #8146 for Jetty version 9.4.47.
Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10

Workarounds

None.

For more information

If you have any questions or comments about this advisory:

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

35.1%