Improper Validation of Syntactic Correctness of Input
CVE-2024-6763
Summary
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine. It includes a utility class, 'HttpURI', for URI/URL parsing. The 'HttpURI' class does insufficient validation on the authority segment of a URI. However the behavior of 'HttpURI' differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically, 'HttpURI' and the browser may differ on the value of the host extracted from an invalid URI. Thus a combination of Jetty and a vulnerable browser may be vulnerable to an open redirect attack or an SSRF attack if the URI is used after passing validation checks. This issue affects Eclipse Jetty versions 7.0.0.M0 through 12.0.11.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-1286 - Improper Validation of Syntactic Correctness of Input
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.
References
Advisory Timeline
- Published