Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jetty-http v20241219 CVE Security vulnerabilities #12817

Closed
gangqiang01 opened this issue Feb 24, 2025 · 5 comments
Closed

jetty-http v20241219 CVE Security vulnerabilities #12817

gangqiang01 opened this issue Feb 24, 2025 · 5 comments
Assignees
@joakime
Labels
Question Unsupported Release For releases that are no longer supported

Comments

@gangqiang01
Copy link

Jetty Version
v20241219
Jetty Environment

jetty9.4
Java Version
8
Question

CVE Security vulnerabilities how fixed
@gangqiang01
Copy link
Author

How to solve jetty-http v20241219 security vulnerabilities

@lachlan-roberts
Copy link
Contributor

Can you be more specific about what vulnerabilities you are referring to.

@gangqiang01
Copy link
Author

Can you be more specific about what vulnerabilities you are referring to.

This vulnerability is identified through version scanning and there may be false positives.
The triggering of this vulnerability indeed relies on the use of the org.eclipse.jetty.http.HttpURL class. If it is determined through the code layer or runtime monitoring that the org.eclipse.jetty.http.HttpURL class is not loaded, then the reporting of this vulnerability through version detection is considered a false positive.
Eclipse Jetty is an open-source, Java-based web server and Java Servlet container of the Eclipse Foundation.
Versions 7.0.0 to 12.0.11 of Eclipse Jetty have a security vulnerability. This vulnerability stems from the insufficient validation of the authority part of the URI by the HttpURI class, which may lead to open redirect attacks or server-side request forgery attacks.

@gangqiang01
Copy link
Author

Can you be more specific about what vulnerabilities you are referring to.

This vulnerability is identified through version scanning and there may be false positives. The triggering of this vulnerability indeed relies on the use of the org.eclipse.jetty.http.HttpURL class. If it is determined through the code layer or runtime monitoring that the org.eclipse.jetty.http.HttpURL class is not loaded, then the reporting of this vulnerability through version detection is considered a false positive. Eclipse Jetty is an open-source, Java-based web server and Java Servlet container of the Eclipse Foundation. Versions 7.0.0 to 12.0.11 of Eclipse Jetty have a security vulnerability. This vulnerability stems from the insufficient validation of the authority part of the URI by the HttpURI class, which may lead to open redirect attacks or server-side request forgery attacks.

GHSA-qh8g-58pp-2wxh This website is our solution. The only way is to upgrade the version of Jetty to 12. The 9.4.57.v20241219 version of Jetty-http cannot solve this vulnerability.

@joakime
Copy link
Contributor

joakime commented Feb 24, 2025

Duplicate of #12783

Nobody should be using Jetty 9.x anymore, it was End of Community Support 3 years ago.

@joakime joakime closed this as completed Feb 24, 2025
@joakime joakime self-assigned this Feb 24, 2025
@joakime joakime added the Unsupported Release For releases that are no longer supported label Feb 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joakime joakime

Labels
Question Unsupported Release For releases that are no longer supported
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joakime @lachlan-roberts @gangqiang01