First published: Thu Jul 07 2022(Updated: )
Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this vulnerability to the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
Eclipse Jetty | <9.4.46 | |
Eclipse Jetty | >=10.0.0<10.0.9 | |
Eclipse Jetty | >=11.0.0<=11.0.9 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Element Plug-in For Vcenter Server | ||
Netapp Management Services For Element Software And Netapp Hci | ||
Netapp Snapcenter | ||
Netapp Solidfire \& Hci Storage Node | ||
Netapp Hci Compute Node | ||
debian/jetty9 | <=9.4.16-0+deb10u1 | 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u1 9.4.50-4+deb12u2 9.4.53-1 |
redhat/jetty-http | <9.4.47 | 9.4.47 |
redhat/jetty-http | <10.0.10 | 10.0.10 |
redhat/jetty-http | <11.0.10 | 11.0.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-2047 is low with a severity value of 2.7.
Eclipse Jetty versions 9.4.0 thru 9.4.46, 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 are affected by CVE-2022-2047.
CVE-2022-2047 can lead to failures in a Proxy scenario due to the improper detection of an invalid input as a hostname.
Update Eclipse Jetty to version 9.4.47, 10.0.10, or 11.0.10 to fix CVE-2022-2047.
You can find more information about CVE-2022-2047 at the following references: [CVE-2022-2047](https://www.cve.org/CVERecord?id=CVE-2022-2047), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-2047), [GitHub Advisory](https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2116949), [Red Hat Advisory](https://access.redhat.com/errata/RHSA-2023:1661).