CVE-2024-6763: 
Java vulnerability analysis and mitigation

Eclipse Jetty's HttpURI class, a utility for URI/URL parsing, contains a vulnerability (CVE-2024-6763) affecting versions 7.0.0 through 12.0.11. The vulnerability stems from insufficient validation of the authority segment in URIs, where HttpURI's parsing behavior differs from common browsers when handling invalid URIs. This discrepancy in host extraction from invalid URIs could potentially lead to open redirect or SSRF attacks when used in combination with vulnerable browsers (GitHub Advisory).

The vulnerability specifically relates to the HttpURI class's handling of the authority section in URIs. When presented with an illegal authority containing user info (e.g., username:password#@hostname:port), the parsing doesn't fail as it should. The interpretation of the host name portion differs between Jetty and common browsers, leading to security implications. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network vector attack with high complexity (NVD).

The impact is limited to developers who use the Jetty HttpURI class directly in their applications. For example, if a project implements a blocklist to block certain hosts based on HttpURI's handling of the authority section, attackers could potentially bypass these protections. This could lead to Server-Side Request Forgery (SSRF) and URL Redirection vulnerabilities in specific cases (GitHub Advisory).

The immediate solution is to upgrade to version 12.0.12 or later, which includes full validation of URI authority characters. Applications should avoid passing decoded user data as encoded URI to any URI class/method, including HttpURI. Additionally, Jetty will deprecate and remove support for user info in the authority per RFC9110 Section 4.2.4 (GitHub Advisory).