2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2047

GHSA ID

GHSA-cj7v-27pg-wf7q

EPSS Score

0.73391%

CWE

CWE-20

Published

7/7/2022

Updated

1/29/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2047

CVE-2022-2047: Jetty invalid URI parsing may produce invalid HttpURI.authority

Description

URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.

A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host. However, HttpURI.host returns localhost; which is definitely wrong.

Impact

This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.

Patches

Patched in PR #8146 for Jetty version 9.4.47. Patched in PR #8014 for Jetty versions 10.0.10, and 11.0.10

Workarounds

None.

For more information

If you have any questions or comments about this advisory:

Email us at security@webtide.com.

(GitHub Advisory)

2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2047

GHSA ID

GHSA-cj7v-27pg-wf7q

EPSS Score

0.73391%

CWE

CWE-20

Published

7/7/2022

Updated

1/29/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty:jetty-http	maven	< 9.4.47	9.4.47
org.eclipse.jetty:jetty-http	maven	>= 10.0.0, < 10.0.10	10.0.10
org.eclipse.jetty:jetty-http	maven	>= 11.0.0, < 11.0.10	11.0.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation in HttpURI's authority parsing. The advisory specifically calls out incorrect host parsing for URIs like 'http://localhost;/path'. The core issue must exist in the authority parsing workflow:

parseAuthority() would be responsible for splitting userinfo/host/port components
setAuthority() would handle storing these parsed values
Both would lack proper validation for RFC-compliant host characters (semicolons are not allowed in hostnames) The high confidence comes from:

Direct reference to HttpURI.host field being incorrectly populated
URI parsing being a core responsibility of HttpURI class
Historical context that authority parsing is typically handled in these methods in Jetty's architecture

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription URI us* wit*in J*tty's `*ttpURI` *l*ss **n p*rs* inv*li* URIs su** *s `*ttp://lo**l*ost;/p*t*` *s **vin* *n *ut*ority wit* * *ost o* `lo**l*ost;`. * URIs o* t** typ* `*ttp://lo**l*ost;/p*t*` s*oul* ** int*rpr*t** to ** *it**r inv*li*

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in *ttpURI's *ut*ority p*rsin*. T** **visory sp**i*i**lly **lls out in*orr**t *ost p*rsin* *or URIs lik* '*ttp://lo**l*ost;/p*t*'. T** *or* issu* must *xist in t** *ut*ority p*rsin* work*low: *.

2.7

Basic Information

Concerned about an active attack path?

CVE-2022-2047: Jetty invalid URI parsing may produce invalid HttpURI.authority

Description

Impact

Patches

Workarounds

For more information

2.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI