Bug 1201317 - (CVE-2022-2047) VUL-1: CVE-2022-2047:jetty-minimal,jetty-websocket,jetty-unixsocket: Invalid URI parsing may produce invalid HttpURI.authority
(CVE-2022-2047)
VUL-1: CVE-2022-2047:jetty-minimal,jetty-websocket,jetty-unixsocket: Invalid...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/336494/
CVSSv3.1:SUSE:CVE-2022-2047:2.7:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-08 08:27 UTC by Hu
Modified: 2022-07-08 16:40 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-08 08:27:21 UTC
CVE-2022-2047

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0
thru 11.0.9 versions, the parsing of the authority segment of an http scheme
URI, the Jetty HttpURI class improperly detects an invalid input as a hostname.
This can lead to failures in a Proxy scenario.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2047
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2047
https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
Comment 1 Hu 2022-07-08 08:28:08 UTC
Fixing commit: https://github.com/eclipse/jetty.project/pull/8146/files

Affected (Fixing commit applies):
- SUSE:SLE-15-SP2:Update/jetty-minimal          9.4.43
- openSUSE:Factory/jetty-minimal                9.4.46
- openSUSE:Factory/jetty-websocket              9.4.46
- openSUSE:Factory/jetty-unixsocket             9.4.46

Not Affected (Does not contain the files referenced in the fixing commit):
- openSUSE:Factory/jetty-artifact-remote-resources      1.2
- openSUSE:Factory/jetty-build-support                  1.5
- openSUSE:Factory/jetty-distribution-remote-resources  1.2
- openSUSE:Factory/jetty-parent                         25
- openSUSE:Factory/jetty-schemas                        4.0.3
- openSUSE:Factory/jetty-toolchain                      1.7
- openSUSE:Factory/jetty-version-maven-plugin           1.0.10
Comment 3 OBSbugzilla Bot 2022-07-08 16:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1201317) was mentioned in
https://build.opensuse.org/request/show/987945 Factory / jetty-minimal