CVE-2024-6763

CWE-128610 documents7 sources

Severity

5.3MEDIUM

EPSS

1.0%

top 22.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jetty Eclipse Foundation Jetty

Timeline

PublishedOct 14

Latest updateJul 15

Description

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

▶NVDeclipse/jetty7.0.0 — 9.4.57

▶Mavenorg.eclipse.jetty:jetty-http7.0.0 — 12.0.12

▶CVEListV5eclipse_foundation/jetty7.0.0 — 12.0.11

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Eclipse Jetty URI parsing of invalid authority↗2024-10-14

▶

OSV

CVE-2024-6763: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine↗2024-10-14

▶

CVEList

Jetty URI parsing of invalid authority↗2024-10-14

▶

GHSA

Eclipse Jetty URI parsing of invalid authority↗2024-10-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Eclipse Jetty) — CVE-2024-6763↗2025-07-15

▶

Oracle

Oracle Oracle Graph Server and Client Risk Matrix: Install (Eclipse Jetty) — CVE-2024-6763↗2025-04-15

▶

Oracle

Oracle Oracle REST Data Services Risk Matrix: General (Eclipse Jetty) — CVE-2024-6763↗2025-01-15

▶

Red Hat

org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority↗2024-10-14

▶

Debian

CVE-2024-6763: jetty9 - Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servl...↗2024

▶