ALT-PU-2026-5681-4

Package update jetty in branch sisyphus

Version12.1.8-alt1

Published2026-05-03

Max severityCRITICAL

Severity:

Closed issues (6)

MEDIUM6.5

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Published: 2026-03-05Modified: 2026-03-06

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh

CRITICAL9.1

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Published: 2026-04-14Modified: 2026-05-01

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

HIGH7.4

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Published: 2026-04-08Modified: 2026-04-23

CVSS 3.xHIGH 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

GHSA-355h-qmc2-wpwf

HIGH7.4

Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Published: 2026-04-15

CVSS 3.xHIGH 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

GHSA-r7p8-xq5m-436c

HIGH7.4

Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables

Published: 2026-04-14

CVSS 3.xHIGH 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

GHSA-wjpw-4j6x-6rwh

LOW3.7

org.eclipse.jetty:jetty-http has different parsing of invalid URIs

Published: 2026-03-06

CVSS 3.xLOW 3.7

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References