Jetty is publishing CVE-2024-6763 for the HttpURI component parsing
of authority and its userinfo component.
https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxhURI parsing of invalid authority
Severity: Low (3.7 / 10)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2024-6763
Reporter/Credit:
https://github.com/zer0yuThe HttpURI class does insufficient validation on the authority segment of a URI.
This vulnerability only applies if you are using the HttpURI class in your own webapp.
The vulnerability does not exist in Jetty Server itself.
Patched in 12.0.12.
There are no patches for Jetty 11, Jetty 10, or Jetty 9 for this advisory.
Workarounds:
Don't use the Jetty HttpURI class to handle URI parsing behaviors of authority
and user info. The Jetty HttpURI class follows the RFC3986 URI spec for parsing
as it follows the behaviors found in the protocols we use. If you want URL/URI
parsing behaviors like a browser performs, use the WhatWG living URL document.
These two URL parsing behaviors are (currently) incompatible with each other.
