[
https://issues.apache.org/jira/browse/HADOOP-19806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18057377#comment-18057377
]
Isaac commented on HADOOP-19806:
--------------------------------
Thanks [[email protected]], I don't know why but we are using a tool called
Wiz and, for some reason, it is detecting v9.4.57 as vulnerable 🤔
{noformat}
Name: org.eclipse.jetty:jetty-http, Version: 9.4.57.v20241219, Path:
/app/libs/jetty-http-9.4.57.v20241219.jar ->
META-INF/maven/org.eclipse.jetty/jetty-http
CVE-2024-6763, Severity: MEDIUM, Source:
https://github.com/advisories/GHSA-qh8g-58pp-2wxh
CVSS score: 5.3, CVSS exploitability score: 3.9
Fixed version: 12.0.12
Has public exploit
Description: Eclipse Jetty is a lightweight, highly scalable,
Java-based web server and Servlet engine . It includes a utility class,
HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment
of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically
HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CVSS v3 metrics:
Attack complexity: LOW, Attack vector: NETWORK
Confidentiality impact: NONE, Integrity impact: LOW
Required privileges: NONE, User interaction is not required
CVSS v2 metrics:
User interaction is not required
EPSS probability: 1, EPSS percentile: 76.9, EPSS severity: HIGH
Publish date: 2024-10-14 16:15:00 +0000 UTC, Fix publish date:
2024-10-16 10:53:00 +0000 UTC{noformat}
Maybe not well informed in Github advisory. I need to investigate deeper 👀
> CVE-2024-6763 Bump Jetty
> ------------------------
>
> Key: HADOOP-19806
> URL: https://issues.apache.org/jira/browse/HADOOP-19806
> Project: Hadoop Common
> Issue Type: Wish
> Components: common
> Affects Versions: 3.5.0, 3.4.2
> Reporter: Isaac
> Priority: Minor
> Fix For: 3.4.3
>
>
> There is a vulnerability in the org.eclipse.jetty:jetty-http library
> [https://nvd.nist.gov/vuln/detail/CVE-2024-6763]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
