CVE-2022-2047

CWE-20 — Improper Input Validation7 documents6 sources

Severity

2.7LOW

EPSS

1.2%

top 21.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Jetty Eclipse Jetty Debian Debian Linux

Timeline

PublishedJul 7

Description

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages4 packages

▶Mavenorg.eclipse.jetty:jetty-http10.0.0 — 10.0.10+2

▶NVDeclipse/jetty10.0.0 — 10.0.9+2

▶CVEListV5the_eclipse_foundation/eclipse_jetty9.4.0 — unspecified+5

▶Debianjetty9< 9.4.39-3+deb11u1+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Jetty invalid URI parsing may produce invalid HttpURI.authority↗2022-07-07

▶

CVEList

CVE-2022-2047: In Eclipse Jetty versions 9↗2022-07-07

▶

OSV

Jetty invalid URI parsing may produce invalid HttpURI.authority↗2022-07-07

▶

OSV

CVE-2022-2047: In Eclipse Jetty versions 9↗2022-07-07

▶

📋Vendor Advisories

Red Hat

jetty-http: improver hostname input handling↗2022-07-07

▶

Debian

CVE-2022-2047: jetty9 - In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 ...↗2022

▶