CVE-2024-6763
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Eclipse Foundation | Jetty | 7.0.0 <= 12.0.11 | affected |
Weaknesses
- CWE-1286: CWE-1286
Workarounds
The attacks outlined above rely on decoded user data being passed to the HttpURI class. Application should not pass decoded user data as an encoded URI to any URI class/method, including HttpURI. Such applications are likely to be vulnerable in other ways.
The immediate solution is to upgrade to a version of the class that will fully validate the characters of the URI authority. Ultimately, Jetty will deprecate and remove support for user info in the authority per RFC9110 Section 4.2.4 https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4 .
Note that the Chrome (and other browsers) parse the invalid user info section improperly as well (due to flawed WhatWG URL parsing rules that do not apply outside of a Web Browser).
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/25
- https://github.com/jetty/jetty.project/pull/12012
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.