Skip to content

[GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5496

wants to merge 1 commit into from

Conversation

venkatesh2090
Copy link

Updates

  • Affected products
  • CVSS v3
  • References

Comments
A fix for this has been backported by the author in jetty/jetty.project#12532 to 9.4.x feature branch.
It has also been released in jetty-9.4.57.v20241219 as can be seen in the commit jetty/jetty.project@db8bb7a

@github
Copy link
Collaborator

github commented May 1, 2025

Hi there @joakime! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to venkatesh2090/advisory-improvement-5496 May 1, 2025 13:22
@joakime
Copy link

joakime commented May 1, 2025

@venkatesh2090 no there is no fix for that vulnerability outside of Jetty 12.x
All other Jetty versions are EOL.
This includes Jetty 9, Jetty 10, Jetty 11.

Also, this CVE is managed by the Eclipse CNA, not Github.
Fixing this here is incorrect.

See past closed efforts to fix this.

@joakime
Copy link

joakime commented May 1, 2025

See also https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611

@joakime
Copy link

joakime commented May 1, 2025

A fix for this has been backported by the author in jetty/jetty.project#12532 to 9.4.x feature branch.
It has also been released in jetty-9.4.57.v20241219 as can be seen in the commit jetty/jetty.project@db8bb7a

That was a sponsored backport of a narrowed subset of the original CVE fix from Jetty 12 back to Jetty 9.
That is why Jetty 9 is not listed on this CVE or Vulnerability.

Ideally, Github should flag Jetty 9 / Jetty 10 / Jetty 11 as EOL, like the CVE authority does.
But the Github advisory database doesn't contain that tag/flag/indicator.

joakime
joakime suggested changes May 2, 2025
View reviewed changes
Copy link

@joakime joakime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, reject this change.

@github-actions github-actions bot deleted the venkatesh2090-GHSA-qh8g-58pp-2wxh branch May 2, 2025 12:57
@joakime joakime mentioned this pull request May 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joakime joakime

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@venkatesh2090 @github @joakime