Description
URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.
A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host.
However, HttpURI.host returns localhost; which is definitely wrong.
Impact
This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.
Patches
Patched in PR #8146 for Jetty version 9.4.47.
Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10
Workarounds
None.
For more information
If you have any questions or comments about this advisory:
Description
URI use within Jetty's
HttpURIclass can parse invalid URIs such ashttp://localhost;/pathas having an authority with a host oflocalhost;.A URIs of the type
http://localhost;/pathshould be interpreted to be either invalid or aslocalhost;to be the userinfo and no host.However,
HttpURI.hostreturnslocalhost;which is definitely wrong.Impact
This can lead to errors with Jetty's
HttpClient, and Jetty'sProxyServlet/AsyncProxyServlet/AsyncMiddleManServletwrongly interpreting an authority with no host as one with a host.Patches
Patched in PR #8146 for Jetty version 9.4.47.
Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10
Workarounds
None.
For more information
If you have any questions or comments about this advisory: