CVE-2024-6763

Name of the Vulnerable Software and Affected Versions Eclipse Jetty (affected versions not specified)

Description The HttpURI class in Eclipse Jetty does insufficient validation on the authority segment of a URI, which can lead to differences in how it handles invalid URIs compared to common browsers. This discrepancy can make a combination of Jetty and a vulnerable browser susceptible to open redirect attacks or Server-Side Request Forgery (SSRF) attacks if the URI is used after passing validation checks. The vulnerability can be exploited by an attacker to bypass protections set up by developers for specific hosts, resulting in SSRF and URL redirection vulnerabilities.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider validating the authority segment of URIs before passing them to the HttpURI class to minimize the risk of exploitation. Restrict access to the HttpURI class to prevent it from being used with unvalidated user input. Avoid using the HttpURI class with decoded user data as an encoded URI to prevent potential vulnerabilities. Ultimately, upgrading to a version of the class that fully validates the characters of the URI authority will be necessary to resolve the issue.