CVE-2022-2047
Improper URI Parsing vulnerability in jetty-http (Maven)
What is CVE-2022-2047 About?
This vulnerability is an improper URI parsing flaw in Jetty's `HttpURI` class, which incorrectly interprets invalid URIs containing semicolons in the host component. This can lead to wrong host resolution by HttpClient or proxy servlets. Exploitation could allow for unexpected request routing or bypassing of security controls.
Affected Software
- org.eclipse.jetty:jetty-http
- >10.0.0, <10.0.10
- >11.0.0, <11.0.10
- <9.4.47
Technical Details
The vulnerability stems from the HttpURI class in Jetty, specifically in its URI parsing logic. When presented with an invalid URI format such as http://localhost;/path, the parser incorrectly identifies localhost; as the host. According to URI specifications, such a format should either be considered invalid or localhost; should be treated as part of the user information portion of the URI, not the host. This misinterpretation means that components like HttpURI.host return an incorrect value, leading to downstream issues in Jetty's HttpClient and proxy servlets (ProxyServlet, AsyncProxyServlet, AsyncMiddleManServlet) where they might wrongly interpret an authority with no host as having one.
What is the Impact of CVE-2022-2047?
Successful exploitation may allow attackers to cause incorrect request routing, bypass access controls, or lead to misdirection of network traffic within the application.
What is the Exploitability of CVE-2022-2047?
Exploitation complexity is moderate, requiring an attacker to be able to supply malformed URIs to an application leveraging Jetty's HttpURI class for parsing. No authentication or special privileges are explicitly mentioned as prerequisites. This could be a remote or local attack, depending on how user-supplied URIs are handled by the application. There are no known workarounds other than upgrading. The likelihood of exploitation increases if the application processes URIs from untrusted sources, such as in web proxies, API gateways, or client-side applications that construct URIs based on user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-2047?
Available Upgrade Options
- org.eclipse.jetty:jetty-http
- <9.4.47 → Upgrade to 9.4.47
- org.eclipse.jetty:jetty-http
- >10.0.0, <10.0.10 → Upgrade to 10.0.10
- org.eclipse.jetty:jetty-http
- >11.0.0, <11.0.10 → Upgrade to 11.0.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/eclipse/jetty.project
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
- https://security.netapp.com/advisory/ntap-20220901-0006/
- https://www.debian.org/security/2022/dsa-5198
- https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html
- https://security.netapp.com/advisory/ntap-20220901-0006
- https://www.debian.org/security/2022/dsa-5198
- https://osv.dev/vulnerability/GHSA-cj7v-27pg-wf7q
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
- https://nvd.nist.gov/vuln/detail/CVE-2022-2047
What are Similar Vulnerabilities to CVE-2022-2047?
Similar Vulnerabilities: CVE-2023-49080 , CVE-2023-47038 , CVE-2023-37903 , CVE-2023-36662 , CVE-2023-35805
