Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
Metrics
Affected Vendors & Products
References
History
Fri, 08 Nov 2024 21:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | NVD-CWE-Other |
Tue, 15 Oct 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Eclipse
Eclipse jetty |
|
CPEs | cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* | |
Vendors & Products |
Eclipse
Eclipse jetty |
|
Metrics |
ssvc
|
Tue, 15 Oct 2024 01:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 14 Oct 2024 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Summary Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks. Details Affected components The vulnerable component is the HttpURI class when used as a utility class in an application. The Jetty usage of the class is not vulnerable. Attack overview The HttpURI class does not well validate the authority section of a URI. When presented with an illegal authority that may contain user info (eg username:password# @hostname https://github.com/hostname :port), then the parsing of the URI is not failed. Moreover, the interpretation of what part of the authority is the host name differs from a common browser in that they also do not fail, but they select a different host name from the illegal URI. Attack scenario A typical attack scenario is illustrated in the diagram below. The Validator checks whether the attacker-supplied URL is on the blocklist. If not, the URI is passed to the Requester for redirection. The Requester is responsible for sending requests to the hostname specified by the URI. This attack occurs when the Validator is the org.eclipse.jetty.http.HttpURI class and the Requester is the Browser (include chrome, firefox and Safari). An attacker can send a malformed URI to the Validator (e.g., http://browser.check%23%40vulndetector.com/ ). After validation, the Validator finds that the hostname is not on the blocklist. However, the Requester can still send requests to the domain with the hostname vulndetector.com. Impact The impact of this vulnerability is limited to developers that use the Jetty HttpURI directly. Example: your project implemented a blocklist to block on some hosts based on HttpURI's handling of authority section. The vulnerability will help attackers bypass the protections that developers have set up for hosts. The vulnerability will lead to SSRF[1] and URL Redirection[2] vulnerabilities in several cases. | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks. |
Mon, 14 Oct 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Summary Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks. Details Affected components The vulnerable component is the HttpURI class when used as a utility class in an application. The Jetty usage of the class is not vulnerable. Attack overview The HttpURI class does not well validate the authority section of a URI. When presented with an illegal authority that may contain user info (eg username:password# @hostname https://github.com/hostname :port), then the parsing of the URI is not failed. Moreover, the interpretation of what part of the authority is the host name differs from a common browser in that they also do not fail, but they select a different host name from the illegal URI. Attack scenario A typical attack scenario is illustrated in the diagram below. The Validator checks whether the attacker-supplied URL is on the blocklist. If not, the URI is passed to the Requester for redirection. The Requester is responsible for sending requests to the hostname specified by the URI. This attack occurs when the Validator is the org.eclipse.jetty.http.HttpURI class and the Requester is the Browser (include chrome, firefox and Safari). An attacker can send a malformed URI to the Validator (e.g., http://browser.check%23%40vulndetector.com/ ). After validation, the Validator finds that the hostname is not on the blocklist. However, the Requester can still send requests to the domain with the hostname vulndetector.com. Impact The impact of this vulnerability is limited to developers that use the Jetty HttpURI directly. Example: your project implemented a blocklist to block on some hosts based on HttpURI's handling of authority section. The vulnerability will help attackers bypass the protections that developers have set up for hosts. The vulnerability will lead to SSRF[1] and URL Redirection[2] vulnerabilities in several cases. | |
Title | Jetty URI parsing of invalid authority | |
Weaknesses | CWE-1286 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: eclipse
Published: 2024-10-14T15:06:07.298Z
Updated: 2024-10-15T17:45:35.771Z
Reserved: 2024-07-15T17:37:53.605Z
Link: CVE-2024-6763
Vulnrichment
Updated: 2024-10-15T17:45:31.079Z
NVD
Status : Analyzed
Published: 2024-10-14T16:15:04.163
Modified: 2024-11-08T21:15:57.677
Link: CVE-2024-6763
Redhat