Vulnerability Name:

CVE-2022-2047 (CCN-230668)

Assigned:2022-07-07
Published:2022-07-07
Updated:2022-10-25
Summary:In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CVSS v3 Severity:2.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
2.4 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
2.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
2.4 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2022-2047

Source: XF
Type: UNKNOWN
eclipse-cve20222047-sec-bypass(230668)

Source: CCN
Type: Eclipse GIT Repository
Invalid URI parsing may produce invalid HttpURI.authority

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220821 [SECURITY] [DLA 3079-1] jetty9 security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220901-0006/

Source: DEBIAN
Type: Third Party Advisory
DSA-5198

Source: CCN
Type: IBM Security Bulletin 6608554 (Sterling Secure Proxy)
IBM Secure External Authentication Server is vulnerable to multiple issues due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6608556 (Sterling Secure Proxy)
IBM Sterling Secure Proxy is vulnerable to multiple issues due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6612971 (Rational Functional Tester)
An Eclipse Jetty vulnerability affects IBM Rational Functional Tester

Source: CCN
Type: IBM Security Bulletin 6825139 (QRadar User Behavior Analytics)
Multiple vulnerabilities in Zookeeper affecting IBM QRadar User Behavior Analytics (CVE-2022-2191, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823, CVE-2020-36518)

Source: CCN
Type: IBM Security Bulletin 6825513 (Rational Change)
Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2

Source: CCN
Type: IBM Security Bulletin 6825515 (Rational Synergy)
Multiple Vulnerabilities in Rational Synergy 7.2.2.4

Source: CCN
Type: IBM Security Bulletin 6828249 (Process Mining)
Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2022-2047

Source: CCN
Type: IBM Security Bulletin 6829321 (InfoSphere Information Server)
Multiple vulnerabilities in Eclipse Jetty affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6831855 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6840151 (Log Analysis)
Potential vulnerability in Eclipse Jetty affects IBM Operations Analytics - Log Analysis (CVE-2022-2047)

Source: CCN
Type: IBM Security Bulletin 6840987 (Rational Performance Tester)
Rational Performance Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate these vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6840989 (Rational Performance Tester)
Rational Service Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Service Tester has taken steps to mitigate these vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6852217 (Cloud Pak for Business Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for December 2022

Source: CCN
Type: IBM Security Bulletin 6852233 (Tivoli Netcool/OMNIbus)
Tivoli Netcool/Omnibus installation contains vulnerable Eclipse Jetty code libraries (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6852613 (Tivoli Network Manager)
Multiple Vulnerabilities discovered in libraries used by Apache Zookeeper that is included in ITNM (CVE-2020-36518, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823)

Source: CCN
Type: IBM Security Bulletin 6854577 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6959601 (Maximo Asset Management)
There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047)

Source: CCN
Type: IBM Security Bulletin 6959689 (Maximo Application Suite)
There is a vulnerability in Eclipse Jetty used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-2047)

Source: CCN
Type: IBM Security Bulletin 6965698 (Tivoli Network Manager)
Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition.

Source: CCN
Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus)
Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6966652 (Cloud Pak for Data System)
Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047]

Source: CCN
Type: IBM Security Bulletin 6983274 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6992077 (Security Verify Information Queue)
IBM Security Verify Information Queue has multiple third-party library vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7001793 (App Connect Enterprise Toolkit)
Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit

Source: CCN
Type: IBM Security Bulletin 7005485 (Cloud Pak for Network Automation)
Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7014939 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOps

Source: CCN
Type: IBM Security Bulletin 7015865 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-2047

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.0.9)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version < 9.4.46)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.0.9)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • OR cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:solidfire_&_hci_storage_node:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:10.0.0:-:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_performance_tester:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:sterling_secure_proxy:3.4.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_secure_proxy:2.4.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_secure_proxy:6.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_application_suite:8.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:maximo_asset_management:7.6.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8024
    P
    		jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)
    2023-06-20
    BACK
    eclipse jetty *
    eclipse jetty *
    eclipse jetty *
    debian debian linux 10.0
    debian debian linux 11.0
    netapp snapcenter -
    netapp hci compute node -
    netapp solidfire & hci storage node -
    netapp element plug-in for vcenter server -
    netapp management services for element software and netapp hci -
    eclipse jetty 9.4.0 20180619
    eclipse jetty 10.0.0 -
    eclipse jetty 11.0.0 -
    ibm tivoli netcool/omnibus 8.1.0
    ibm infosphere information server 11.7
    ibm spectrum protect plus 10.1.0
    ibm rational performance tester 9.2
    ibm app connect 11.0.0.1
    ibm sterling secure proxy 3.4.3.2
    ibm sterling secure proxy 2.4.3.2
    ibm cognos command center 10.2.4.1
    ibm rational functional tester 9.5
    ibm qradar security information and event manager 7.4 -
    ibm app connect enterprise 12.0.1.0
    ibm sterling secure proxy 6.0.3.0
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm maximo application suite 8.4
    ibm security verify governance 10.0
    ibm maximo asset management 7.6.1.3
    ibm cloud pak for business automation 22.0.1 -
    ibm cloud pak for security 1.10.0.0