[GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority

[amita-seal]

Updates

• Affected products
• CVSS v3

Comments

CVE-2024-6763

already implemented
source

jetty-9.4.57.v20241219 - 19 December 2024
 + 12268 `IteratingCallback` may iterate too much when `process()` returns
   Action.IDLE
 + 12648 Backport improved handling of bad Gzip content (and Gzip Exceptions)
 + 12532 Backport CVE-2024-6763 to deprecate UserInfo on URI (in violation of
   RFC2616 spec)

[github]

Hi there @joakime! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[joakime]

Reject.

This is not fixed in the EOL releases of Jetty 9, Jetty 10, or Jetty 11.

See past PRs on here for details.

[amita-seal]

@joakime can you please refer to these PRs?
We also see that Snyk agrees with our suggestion: https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-8186141
The link I shared there is from jetty-http's release notes.

[joakime]

• [GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5210
• [GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5222
• [GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5475
• [GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5496
• [GHSA-qh8g-58pp-2wxh] Eclipse Jetty URI parsing of invalid authority #5507

[joakime]

In short, the HTTP RFC support levels in Jetty 9, Jerry 10, and Jerry 11 can not have the fix, as it would invalidate the older HTTP RFC those Jetty versions support.

If you want/need the fix you must use Jetty 12.0+

This is why the CVE does not contain this fix listed for those old versions of Jetty.

Also, the CVE is managed by the Eclipse CNA and cannot be updated by GitHub.

[amita-seal]

Hi @joakime ,
thanks for the details.
I see this PR fixes the vulnerability, approved by you.
Am I misunderstanding something?

If the right place to edit is the Eclipse CNA, we'll move the request there. Just want to get the details right before we do so.

[joakime]

This is not fixed in Jetty 9, Jetty 10, and Jetty 11.
The fix / patch you are referencing only addresses direct usage of jetty-http classes by your project, it doesn't fix Jetty Server or Jetty Client.

[joakime]

Keep in mind the Eclipse CNA also checks with the Eclipse project for proposed CVE fixes.

We've addressed this multiple times with them as well.

This advisory and CVE will is not, and will not, be fixed in Jetty 9, Jetty 10, and Jetty 11.
Those versions are EOL.

[joakime]

Keep in mind the Eclipse CNA also checks with the Eclipse project for proposed CVE fixes.

We've addressed this multiple times with them as well.

This advisory and CVE will is not, and will not, be fixed in Jetty 9, Jetty 10, and Jetty 11.
Those versions are EOL.

[joakime]

I'll get the snyk report corrected again, as it is wrong.

Blackduck, Tidelift, Mitre, and more have the correct information.

[amita-seal]

hi @joakime ,
This github advisory references only jetty-http. It does not list jetty-server or jetty-client at all.
Isn't it better to list the CVE per Maven artifact, as is usually done, instead of per the entire jetty project?

[shelbyc]

👋 Hi @amita-seal and @joakime, I'm going to keep the advisory as it currently is for now. If The Eclipse Foundation provides any more information in the record for https://www.cve.org/CVERecord?id=CVE-2024-6763 and/or GHSA-qh8g-58pp-2wxh, feel free to submit another PR.