Bug#1085698: jetty9: CVE-2024-6763
Moritz Mühlenhoff
jmm at inutil.org
Mon Oct 21 19:50:09 BST 2024
Source: jetty9
X-Debbugs-CC: team at security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for jetty9.
CVE-2024-6763[0]:
| Eclipse Jetty is a lightweight, highly scalable, Java-based web
| server and Servlet engine . It includes a utility class, HttpURI,
| for URI/URL parsing. The HttpURI class does insufficient validation
| on the authority segment of a URI. However the behaviour of HttpURI
| differs from the common browsers in how it handles a URI that would
| be considered invalid if fully validated against the RRC.
| Specifically HttpURI and the browser may differ on the value of the
| host extracted from an invalid URI and thus a combination of Jetty
| and a vulnerable browser may be vulnerable to a open redirect
| attack or to a SSRF attack if the URI is used after passing
| validation checks.
https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh
This appears to be only fixed for 12.x
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6763
https://www.cve.org/CVERecord?id=CVE-2024-6763
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list