Skip to content

[GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rhuddleston wants to merge 2 commits into from
Closed

[GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5475

rhuddleston wants to merge 2 commits into from

Conversation

@rhuddleston
Copy link

@rhuddleston rhuddleston commented Apr 22, 2025

Updates

  • Affected products
  • CVSS v3
  • References

Comments
This fix was backported to Jetty 10 & 11: jetty/jetty.project#12874

@github
Copy link
Collaborator

github commented Apr 22, 2025

Hi there @joakime! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to rhuddleston/advisory-improvement-5475 April 22, 2025 00:39
@rhuddleston
Copy link
Author

rhuddleston commented Apr 22, 2025

it also needs to be affected:

  • 11.0, <= 11.0.25

  • 12.0, <= 12.0.11

was having a hard getting the syntax plgged in there correctly

@github
Copy link
Collaborator

github commented Apr 22, 2025

Hi there @joakime! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@joakime
Copy link

joakime commented Apr 22, 2025
edited
Loading

@rhuddleston the fix is not in released Jetty versions earlier than 12.0.12.

The linked to Issue (jetty/jetty.project#12874) is not a fix for that vulnerability, it is a HTTP Spec compliance addition that only applies to Jetty's HttpClient use cases. (the fix for the CVE in Jetty 12.0.12 fixes Jetty Server use cases as well)

@rhuddleston
Copy link
Author

rhuddleston commented Apr 22, 2025

When I clicked on that commit it has:

Added a UriCompliance.Violation.USER_INFO to deprecate user info in HttpURI (jetty/jetty.project#12012)

and pull 12012 refers to that CVE so I guess I assumed wrong.

@joakime
Copy link

joakime commented Apr 22, 2025
edited
Loading

That link is a spec compliance change and CVE fix for 12.0.x

The link you posted is not a CVE fix for older versions of Jetty.

Also, as a different note, this CVE is managed by the Eclipse CNA.
The Github Vulnerabilty database isn't the place for this change.

@github-actions github-actions bot deleted the rhuddleston-GHSA-qh8g-58pp-2wxh branch April 22, 2025 01:05
@joakime
Copy link

joakime commented Apr 22, 2025

One last thing.
Jetty 11 and older are now at EOL.
There is no open source support for those versions of Jetty anymore.
The Eclipse CNA will also flag changes to EOL versions as "Unsupported when Assigned" in the CVE database (Which is code for EOL)
The Github Vulnerability Database here does not support either the "Unsupported when Assigned" tag or EOL.

This was referenced May 1, 2025
Closed
Closed
@joakime joakime mentioned this pull request Dec 11, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rhuddleston @github @joakime