CVE-2022-2047

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.4.0 through 9.4.46 Eclipse Jetty versions 10.0.0 through 10.0.9 Eclipse Jetty versions 11.0.0 through 11.0.9

Description The parsing of the authority segment of an http scheme URI in the Jetty HttpURI class improperly detects an invalid input as a hostname, leading to failures in a Proxy scenario. This issue can cause errors with Jetty's HttpClient and Jetty's ProxyServlet, AsyncProxyServlet, and AsyncMiddleManServlet, which wrongly interpret an authority with no host as one with a host. For example, a URI like http://localhost;/path is parsed as having an authority with a host of localhost;, which is incorrect.

Recommendations For Eclipse Jetty versions 9.4.0 through 9.4.46, update to version 9.4.47 or later. For Eclipse Jetty versions 10.0.0 through 10.0.9, update to version 10.0.10 or later. For Eclipse Jetty versions 11.0.0 through 11.0.9, update to version 11.0.10 or later.