Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE in Jetty #2340

Open
solonovamax opened this issue Nov 11, 2024 · 5 comments
Open

CVE in Jetty #2340

solonovamax opened this issue Nov 11, 2024 · 5 comments
Labels
dependencies Pull requests that update a dependency file

Comments

@solonovamax
Copy link

solonovamax commented Nov 11, 2024
edited
Loading

Currently, there are 2 CVEs present in the version of Jetty used in Javalin 6.3.0.

The second CVE has been patched in the latest snapshot of Javalin, due to updating to Jetty from 11.0.22 -> 11.0.24, however no release has been made for this change.

Currently, the only fix for CVE-2024-6763 is to update to Jetty ≥12.0.12. Are there any plans to do this in the near future?
@zugazagoitia
Copy link
Member

The impact of this vulnerability is limited to developers that use the Jetty HttpURI directly

I doubt we use it, but let's check

@solonovamax
Copy link
Author

some downstream consumers may use it, as it is a dependency, and maven does not have a distinction between api & implementation dependencies like gradle does

@FlyingSheepOnSailfish
Copy link

For what it is worth, we are running Javalin 6.2.0 with Jetty 11.0.24

@dzikoysk dzikoysk added the dependencies Pull requests that update a dependency file label Nov 27, 2024
@dzikoysk
Copy link
Member

dzikoysk commented Nov 27, 2024
edited
Loading

jetty-server should be patched in the next Javalin version. It was supposed to be released a week ago, but there were some internal issues with @tipsy's pipeline.

For jetty-client we may not be able to get rid of this:

Like you said, it's not affecting us and the chance it's affecting our users is also pretty low - if you'd be digging that deep in the Jetty, you'd probably just use raw Jetty anyway, without Javalin:

That is an informational CVE, read it carefully.

The Jetty Server and Jetty Client on all releases of Jetty 12/11/10/9 are not vulnerable.

Only direct use of HttpURI in your own application, under VERY specific conditions, would you be vulnerable.
The only fix in that situation is to decide which URI/URL spec parsing your application wants to follow, and choose a URI parsing spec that makes sense for your application's needs.

~ jetty/jetty.project#12581 (comment)

We will most likely get rid of it in Javalin 8.x, with Jetty 12:

@solonovamax
Copy link
Author

hmmm, I see

tbh I just opened the issue because my ide was complaining lol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dzikoysk @FlyingSheepOnSailfish @zugazagoitia @solonovamax