SCA: security update for org.eclipse.jetty:jetty-http (GHSA-qh8g-58pp-2wxh)

medium Tenable Cloud Security Plugin ID 418140

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a
utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the
authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it
handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an invalid URI and thus a combination
of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the
URI is used after passing validation checks. (CVE-2024-6763)

See Also

https://github.com/advisories/GHSA-qh8g-58pp-2wxh

Plugin Details

Severity: Medium

ID: 418140

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2024-6763

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/14/2024

Vulnerability Publication Date: 10/14/2024

Reference Information

CVE: CVE-2024-6763