Skip to main content

Improper Validation of Syntactic Correctness of Input

CVE-2024-6763

Severity Medium
Score 5.3/10

Summary

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine. It includes a utility class, 'HttpURI', for URI/URL parsing. The 'HttpURI' class does insufficient validation on the authority segment of a URI. However the behavior of 'HttpURI' differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically, 'HttpURI' and the browser may differ on the value of the host extracted from an invalid URI. Thus a combination of Jetty and a vulnerable browser may be vulnerable to an open redirect attack or an SSRF attack if the URI is used after passing validation checks. This issue affects Eclipse Jetty versions 7.0.0.M0 through 12.0.11.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

Advisory Timeline

  • Published