CVE-2022-2047
ADVISORY - githubSummary
Description
URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.
A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host.
However, HttpURI.host returns localhost; which is definitely wrong.
Impact
This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.
Patches
Patched in PR #8146 for Jetty version 9.4.47. Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10
Workarounds
None.
For more information
If you have any questions or comments about this advisory:
- Email us at security@webtide.com.
Common Weakness Enumeration (CWE)
Improper Input Validation
Improper Input Validation
Improper Input Validation
NIST
1.2
CVSS SCORE
2.7lowGitHub
1.2
CVSS SCORE
2.7lowDebian
-
Ubuntu
1.2
CVSS SCORE
2.7mediumRed Hat
1.2
CVSS SCORE
2.7lowChainguard
CGA-5rw4-v8ph-63v2
-
Chainguard
CGA-jx2r-rw4w-x85g
-
minimos
MINI-p977-gv49-j35j
-