{ "threat_severity" : "Low", "public_date" : "2024-10-14T15:06:07Z", "bugzilla" : { "description" : "org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority", "id" : "2318563", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2318563" }, "cvss3" : { "cvss3_base_score" : "3.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-1286", "details" : [ "Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.\nThe HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI\ndiffers from the common browsers in how it handles a URI that would be \nconsidered invalid if fully validated against the RRC. Specifically HttpURI\nand the browser may differ on the value of the host extracted from an \ninvalid URI and thus a combination of Jetty and a vulnerable browser may\nbe vulnerable to a open redirect attack or to a SSRF attack if the URI \nis used after passing validation checks.", "A flaw was found in Jetty. The HttpURI class performs insufficient validation on the authority segment of a URI. The HttpURI and the browser may differ on the value of the host extracted from an invalid URI. This combination of Jetty and a vulnerable browser may be vulnerable to an open redirect attack or an SSRF attack if the URI is used after passing validation checks." ], "statement" : "For this attack to work, you would require the victim to have a vulnerable browser on top of that the URI being used after insufficient validation, all of which makes this a low-severity flaw.", "affected_release" : [ { "product_name" : "Streams for Apache Kafka 2.9.1", "release_date" : "2025-06-30T00:00:00Z", "advisory" : "RHSA-2025:9922", "cpe" : "cpe:/a:redhat:amq_streams:2.9::el9" }, { "product_name" : "Streams for Apache Kafka 3.0.0", "release_date" : "2025-08-01T00:00:00Z", "advisory" : "RHSA-2025:12511", "cpe" : "cpe:/a:redhat:amq_streams:3.0::el9" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http-spi", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http-spi", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http-spi", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http-spi", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-http", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-6763\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6763\nhttps://github.com/jetty/jetty.project/pull/12012\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/25" ], "name" : "CVE-2024-6763", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }