ALT-PU-2026-5681-4

Обновление пакета jetty в ветке sisyphus

Версия12.1.8-alt1

Задание#413725

Опубликовано2026-05-03

Макс. серьёзностьCRITICAL

Серьёзность:

Закрытые проблемы (6)

MEDIUM6.5

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Опубликовано: 2026-03-05Изменено: 2026-03-06

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Ссылки

https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh

CRITICAL9.1

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Опубликовано: 2026-04-14Изменено: 2026-05-01

CVSS 3.xКРИТИЧЕСКАЯ 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Ссылки

HIGH7.4

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Опубликовано: 2026-04-08Изменено: 2026-04-23

CVSS 3.xВЫСОКАЯ 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-355h-qmc2-wpwf

HIGH7.4

Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Опубликовано: 2026-04-15

CVSS 3.xВЫСОКАЯ 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-r7p8-xq5m-436c

HIGH7.4

Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables

Опубликовано: 2026-04-14

CVSS 3.xВЫСОКАЯ 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Ссылки

GHSA-wjpw-4j6x-6rwh

LOW3.7

org.eclipse.jetty:jetty-http has different parsing of invalid URIs

Опубликовано: 2026-03-06

CVSS 3.xНИЗКАЯ 3.7

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Ссылки