jetty-server-11.0.8.jar: 2 vulnerabilities (highest severity is: 7.5)
Opened this issue · 0 comments
Vulnerable Library - jetty-server-11.0.8.jar
Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/11.0.8/c78472dd805be404e0adf2b33315c7b2bb49144c/jetty-io-11.0.8.jar
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (jetty-server version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-2191 | High | 7.5 | jetty-io-11.0.8.jar | Transitive | 11.0.10 | ✅ |
CVE-2022-2047 | Low | 2.7 | detected in multiple dependencies | Transitive | 11.0.10 | ✅ |
Details
CVE-2022-2191
Vulnerable Library - jetty-io-11.0.8.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/11.0.8/c78472dd805be404e0adf2b33315c7b2bb49144c/jetty-io-11.0.8.jar
Dependency Hierarchy:
- jetty-server-11.0.8.jar (Root Library)
- ❌ jetty-io-11.0.8.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
Publish Date: 2022-07-07
URL: CVE-2022-2191
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2191
Release Date: 2022-07-07
Fix Resolution (org.eclipse.jetty:jetty-io): 11.0.10
Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 11.0.10
⛑️ Automatic Remediation is available for this issue
CVE-2022-2047
Vulnerable Libraries - jetty-http-11.0.8.jar, jetty-server-11.0.8.jar
jetty-http-11.0.8.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/11.0.8/ae463766ab49eaa89e6d13608a47a920ed14638a/jetty-http-11.0.8.jar
Dependency Hierarchy:
- jetty-server-11.0.8.jar (Root Library)
- ❌ jetty-http-11.0.8.jar (Vulnerable Library)
jetty-server-11.0.8.jar
The core jetty server artifact.
Library home page: https://eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle
Path to vulnerable library: /e/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/11.0.8/49f0408a1ee871bf430690a33c327fc22ee1b027/jetty-server-11.0.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/11.0.8/49f0408a1ee871bf430690a33c327fc22ee1b027/jetty-server-11.0.8.jar
Dependency Hierarchy:
- ❌ jetty-server-11.0.8.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
Publish Date: 2022-07-07
URL: CVE-2022-2047
CVSS 3 Score Details (2.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj7v-27pg-wf7q
Release Date: 2022-07-07
Fix Resolution (org.eclipse.jetty:jetty-http): 11.0.12
Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 11.0.10
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.