Fluid Attacks Database

Description

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	jetty9	>=0 <9.4.48-1	9.4.48-1
maven	org.eclipse.jetty:jetty-http	>=0 <9.4.47 \|\| >=10.0.0 <10.0.10 \|\| >=11.0.0 <11.0.10	9.4.47, 10.0.10, 11.0.10
debian 13	jetty9	>=0 <9.4.48-1	9.4.48-1
debian 11	jetty9	=9.4.39-3 \|\| >=0 <9.4.39-3+deb11u1	9.4.39-3+deb11u1
debian 12	jetty9	>=0 <9.4.48-1	9.4.48-1

Aliases

1. CVE-2022-20472. NVD-2022-20473. OSV-DEBIAN-2022-20474. OSV-2022-20475. GHSA-cj7v-27pg-wf7q6. GCVE-2022-20477. SECURITY-TRACKER-CVE-2022-20478. lists.debian.org

References

1. https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q2. https://security.netapp.com/advisory/ntap-20220901-00063. https://www.debian.org/security/2022/dsa-5198