CVE-2024-6763

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

History

08 Nov 2024, 21:15

Type Values Removed Values Added
References () https://github.com/jetty/jetty.project/pull/12012 - () https://github.com/jetty/jetty.project/pull/12012 - Patch
References () https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh - () https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh - Exploit, Mitigation, Vendor Advisory
References () https://gitlab.eclipse.org/security/cve-assignement/-/issues/25 - () https://gitlab.eclipse.org/security/cve-assignement/-/issues/25 - Vendor Advisory
CVSS v2 : unknown
v3 : 3.7
v2 : unknown
v3 : 5.3
First Time Eclipse
Eclipse jetty
CWE NVD-CWE-Other
CPE cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Eclipse Jetty es un servidor web y motor de servlets basado en Java, ligero y altamente escalable. Incluye una clase de utilidad, HttpURI, para el análisis de URL/URL. La clase HttpURI realiza una validación insuficiente en el segmento de autoridad de una URI. Sin embargo, el comportamiento de HttpURI difiere de los navegadores comunes en cómo maneja una URI que se consideraría inválida si se validara completamente contra el RRC. Específicamente, HttpURI y el navegador pueden diferir en el valor del host extraído de una URI inválida y, por lo tanto, una combinación de Jetty y un navegador vulnerable puede ser vulnerable a un ataque de redireccionamiento abierto o a un ataque SSRF si la URI se usa después de pasar las verificaciones de validación.

14 Oct 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-14 16:15

Updated : 2024-11-08 21:15


NVD link : CVE-2024-6763

Mitre link : CVE-2024-6763

CVE.ORG link : CVE-2024-6763


JSON object : View

Products Affected

eclipse

  • jetty
CWE
NVD-CWE-Other CWE-1286

Improper Validation of Syntactic Correctness of Input