Jetty URI parsing of invalid authority
Description
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-httpMaven | >= 7.0.0, < 12.0.12 | 12.0.12 |
Affected products
181- osv-coords180 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/apache-pulsar-4.0pkg:apk/chainguard/apache-pulsar-fips-4.0pkg:apk/chainguard/clojurepkg:apk/chainguard/clojure-toolspkg:apk/chainguard/cloudwatch-exporterpkg:apk/chainguard/confluent-kafkapkg:apk/chainguard/confluent-kafka-jre-bcfipspkg:apk/chainguard/druidpkg:apk/chainguard/druid-compatpkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/kafka-jre-bcfipspkg:apk/chainguard/neo4j-5.26pkg:apk/chainguard/neo4j-5.26-docker-publishpkg:apk/chainguard/neo4j-5.26-oci-entrypointpkg:apk/chainguard/solrpkg:apk/chainguard/spark-fips-3.5-scala-2.12pkg:apk/chainguard/spark-fips-3.5-scala-2.13pkg:apk/chainguard/spark-kubernetes-operatorpkg:apk/chainguard/spark-kubernetes-operator-fipspkg:apk/chainguard/strimzi-kafka-operator-fips-kafka-thirdparty-libs-ccpkg:apk/chainguard/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-ai-functionspkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-duckdbpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exasolpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-fakerpkg:apk/chainguard/trino-plugin-functions-pythonpkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-http-server-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kafka-event-listenerpkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-ldap-group-providerpkg:apk/chainguard/trino-plugin-lokipkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-opapkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-snowflakepkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/chainguard/trino-plugin-verticapkg:apk/chainguard/wso2ispkg:apk/chainguard/zaproxypkg:apk/chainguard/zookeeper-fips-3.8pkg:apk/wolfi/akhqpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/cloudwatch-exporterpkg:apk/wolfi/confluent-kafkapkg:apk/wolfi/druidpkg:apk/wolfi/druid-compatpkg:apk/wolfi/neo4j-5.26pkg:apk/wolfi/neo4j-5.26-docker-publishpkg:apk/wolfi/neo4j-5.26-oci-entrypointpkg:apk/wolfi/solrpkg:apk/wolfi/strimzi-kafka-operator-kafka-thirdparty-libs-ccpkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-ai-functionspkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-duckdbpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exasolpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-fakerpkg:apk/wolfi/trino-plugin-functions-pythonpkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-http-server-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kafka-event-listenerpkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-ldap-group-providerpkg:apk/wolfi/trino-plugin-lokipkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-opapkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-snowflakepkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:apk/wolfi/trino-plugin-verticapkg:maven/org.eclipse.jetty/jetty-httppkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Tumbleweedpkg:rpm/suse/jetty-minimal&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5
< 0.25.1-r3+ 179 more
- (no CPE)range: < 0.25.1-r3
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 4.0.10-r0
- (no CPE)range: < 4.0.10-r0
- (no CPE)range: < 1.12.4-r0
- (no CPE)range: < 1.12.4.1629-r0
- (no CPE)range: < 0.17.0-r0
- (no CPE)range: < 8.0.0.259-r0
- (no CPE)range: < 8.0.0.259-r0
- (no CPE)range: < 35.0.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 3.3.6-r8
- (no CPE)range: < 4.0.0-r0
- (no CPE)range: < 5.26.2-r0
- (no CPE)range: < 5.26.2-r0
- (no CPE)range: < 5.26.2-r0
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 3.5.8-r0
- (no CPE)range: < 3.5.8-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 0.9.0-r0
- (no CPE)range: < 1.0.0-r1
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 481-r8
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 7.3.0-r0
- (no CPE)range: < 2.17.0-r5
- (no CPE)range: < 3.8.6-r2
- (no CPE)range: < 0.25.1-r3
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 0.17.0-r0
- (no CPE)range: < 8.0.0.259-r0
- (no CPE)range: < 35.0.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 5.26.2-r0
- (no CPE)range: < 5.26.2-r0
- (no CPE)range: < 5.26.2-r0
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 1.0.0-r8
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 481-r8
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: < 472-r0
- (no CPE)range: >= 7.0.0, < 12.0.12
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-1.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
- (no CPE)range: < 9.4.57-150200.3.31.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-qh8g-58pp-2wxhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6763ghsaADVISORY
- github.com/jetty/jetty.project/pull/12012ghsaWEB
- github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxhghsaWEB
- gitlab.eclipse.org/security/cve-assignement/-/issues/25ghsaWEB
- security.netapp.com/advisory/ntap-20250306-0005ghsaWEB
News mentions
0No linked articles in our index yet.