jetty-http is vulnerable to improper input validation. The vulnerability exists because the authority
function of HttpURI.java
does not properly validate the _path
parameter as a valid authority, allowing an attacker to parse invalid URLs such as http://localhost;/path
for the hostname.
github.com/eclipse/jetty.project/commit/4ca8afbbd667c19a084d5ff14a4f08eb7049d1c7
github.com/eclipse/jetty.project/commit/d1e64f469362bb9371d530cccded5ecb13fa1cb5
github.com/eclipse/jetty.project/commit/d1e64f469362bb9371d530cccded5ecb13fa1cb5
github.com/eclipse/jetty.project/issues/8014
github.com/eclipse/jetty.project/pull/8015
github.com/eclipse/jetty.project/pull/8146
github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
lists.debian.org/debian-lts-announce/2022/08/msg00011.html
security.netapp.com/advisory/ntap-20220901-0006/
www.debian.org/security/2022/dsa-5198