CVE-2022-2047

moderate-risk

Published 2022-07-07

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Do I need to act?

1.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.7/10 Low

NETWORK / LOW complexity

Affected Products (8)

Jetty

Debian Linux

Element Plug-In For Vcenter Server

Management Services For Element Software And Netapp Hci

Snapcenter

Solidfire \& Hci Storage Node

Hci Compute Node

Affected Vendors

Debian Netapp Eclipse

References (8)

Patch https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q

Mailing List https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220901-0006/

Third Party Advisory https://www.debian.org/security/2022/dsa-5198

Patch https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q

Mailing List https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220901-0006/

Third Party Advisory https://www.debian.org/security/2022/dsa-5198

/ 100

moderate-risk

Severity 14/34 · Moderate

Exploitability 4/34 · Minimal

Exposure 14/34 · Moderate