Source: jetty9 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security
Hi, The following vulnerability was published for jetty9. CVE-2024-6763[0]: | Eclipse Jetty is a lightweight, highly scalable, Java-based web | server and Servlet engine . It includes a utility class, HttpURI, | for URI/URL parsing. The HttpURI class does insufficient validation | on the authority segment of a URI. However the behaviour of HttpURI | differs from the common browsers in how it handles a URI that would | be considered invalid if fully validated against the RRC. | Specifically HttpURI and the browser may differ on the value of the | host extracted from an invalid URI and thus a combination of Jetty | and a vulnerable browser may be vulnerable to a open redirect | attack or to a SSRF attack if the URI is used after passing | validation checks. https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh This appears to be only fixed for 12.x If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6763 https://www.cve.org/CVERecord?id=CVE-2024-6763 Please adjust the affected versions in the BTS as needed.
