Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions about CVE-2024-6763 in Jetty 10 #12581

Open
jkoch70 opened this issue Nov 26, 2024 · 4 comments
Open

Questions about CVE-2024-6763 in Jetty 10 #12581

jkoch70 opened this issue Nov 26, 2024 · 4 comments
Labels
Question

Comments

@jkoch70
Copy link

jkoch70 commented Nov 26, 2024

Jetty 10

Is it planned to fix the following vulnerabilities in Jetty 10:
CVE-2024-6763 | medium | org.eclipse.jetty_jetty-io | 10.0.24
CVE-2024-6763 | medium | org.eclipse.jetty_jetty-http | 10.0.24
@joakime
Copy link
Contributor

joakime commented Nov 26, 2024

That is an informational CVE, read it carefully.

The Jetty Server and Jetty Client on all releases of Jetty 12/11/10/9 are not vulnerable.

Only direct use of HttpURI in your own application, under VERY specific conditions, would you be vulnerable.
The only fix in that situation is to decide which URI/URL spec parsing your application wants to follow, and choose a URI parsing spec that makes sense for your application's needs.

Either:

  • the IETF Specs (URI and HTTP) - that the HTTP protocol uses. (This is what Jetty's HttpURI handles)
  • the W3C Living URL document - a non-spec that the Web Browsers use. (Nothing in Jetty handles this)

That is the solution.
If you look around for a replacement for HttpURI direct use you'll find both solutions above, but as separate libraries/concepts, never co-mingled in a single solution. (Even Spring has two difference URL parsers)

The change you see in Jetty 12 doesn't fix this, it merely ignores the user-info section.
This is possible in Jetty 12, as we are supporting RFC9110, which deprecates the user-info section of the URI.
This fix is not appropriate for older Jetty releases, as those only support older HTTP specs that do not have the user-info section deprecated.

There is nothing in Jetty Server or Jetty Client that supports user-info anyway.
The HTTP protocols also don't include the user-info in any part of the protocol.

@joakime
Copy link
Contributor

joakime commented Nov 26, 2024

Also, note that Jetty 10 is EOL on January 1, 2025.

You should be moving to a supported version of Jetty at this point in time, Jetty 12 for example.
Also, since you are using Jetty 10 now, you would want to use the ee8 environment on Jetty 12 to maintain compatibility with javax.servlet namespace.

@joakime joakime changed the title Vulnerability fixes in Jetty 10 Questions about CVE-2024-6763 in Jetty 10 Nov 26, 2024
@dmiroshnikov dmiroshnikov mentioned this issue Nov 26, 2024
Open
@dzikoysk dzikoysk mentioned this issue Nov 27, 2024
Open
@jkoch70
Copy link
Author

jkoch70 commented Nov 29, 2024

Got it. Thanks.

@jkoch70
Copy link
Author

jkoch70 commented Nov 29, 2024

Closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joakime @jkoch70