Vulnerability Name: CVE-2022-2047 (CCN-230668) Assigned: 2022-07-07 Published: 2022-07-07 Updated: 2022-10-25 Summary: In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. CVSS v3 Severity: 2.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N )2.4 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
2.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N )2.4 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-20 Vulnerability Consequences: Bypass Security References: Source: MITRE Type: CNACVE-2022-2047 Source: XF Type: UNKNOWNeclipse-cve20222047-sec-bypass(230668) Source: CCN Type: Eclipse GIT RepositoryInvalid URI parsing may produce invalid HttpURI.authority Source: CONFIRM Type: Patch, Third Party Advisoryhttps://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q Source: MLIST Type: Mailing List, Third Party Advisory[debian-lts-announce] 20220821 [SECURITY] [DLA 3079-1] jetty9 security update Source: CONFIRM Type: Third Party Advisoryhttps://security.netapp.com/advisory/ntap-20220901-0006/ Source: DEBIAN Type: Third Party AdvisoryDSA-5198 Source: CCN Type: IBM Security Bulletin 6608554 (Sterling Secure Proxy)IBM Secure External Authentication Server is vulnerable to multiple issues due to Eclipse Jetty Source: CCN Type: IBM Security Bulletin 6608556 (Sterling Secure Proxy)IBM Sterling Secure Proxy is vulnerable to multiple issues due to Eclipse Jetty Source: CCN Type: IBM Security Bulletin 6612971 (Rational Functional Tester)An Eclipse Jetty vulnerability affects IBM Rational Functional Tester Source: CCN Type: IBM Security Bulletin 6825139 (QRadar User Behavior Analytics)Multiple vulnerabilities in Zookeeper affecting IBM QRadar User Behavior Analytics (CVE-2022-2191, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823, CVE-2020-36518) Source: CCN Type: IBM Security Bulletin 6825513 (Rational Change)Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2 Source: CCN Type: IBM Security Bulletin 6825515 (Rational Synergy)Multiple Vulnerabilities in Rational Synergy 7.2.2.4 Source: CCN Type: IBM Security Bulletin 6828249 (Process Mining)Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2022-2047 Source: CCN Type: IBM Security Bulletin 6829321 (InfoSphere Information Server)Multiple vulnerabilities in Eclipse Jetty affect IBM InfoSphere Information Server Source: CCN Type: IBM Security Bulletin 6831855 (QRadar SIEM)IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities Source: CCN Type: IBM Security Bulletin 6840151 (Log Analysis)Potential vulnerability in Eclipse Jetty affects IBM Operations Analytics - Log Analysis (CVE-2022-2047) Source: CCN Type: IBM Security Bulletin 6840987 (Rational Performance Tester)Rational Performance Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate these vulnerabilities. Source: CCN Type: IBM Security Bulletin 6840989 (Rational Performance Tester)Rational Service Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Service Tester has taken steps to mitigate these vulnerabilities. Source: CCN Type: IBM Security Bulletin 6852217 (Cloud Pak for Business Automation)Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for December 2022 Source: CCN Type: IBM Security Bulletin 6852233 (Tivoli Netcool/OMNIbus)Tivoli Netcool/Omnibus installation contains vulnerable Eclipse Jetty code libraries (Multiple CVEs) Source: CCN Type: IBM Security Bulletin 6852613 (Tivoli Network Manager)Multiple Vulnerabilities discovered in libraries used by Apache Zookeeper that is included in ITNM (CVE-2020-36518, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823) Source: CCN Type: IBM Security Bulletin 6854577 (Security Verify Governance)IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty Source: CCN Type: IBM Security Bulletin 6959601 (Maximo Asset Management)There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) Source: CCN Type: IBM Security Bulletin 6959689 (Maximo Application Suite)There is a vulnerability in Eclipse Jetty used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-2047) Source: CCN Type: IBM Security Bulletin 6965698 (Tivoli Network Manager)Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition. Source: CCN Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus)Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6966652 (Cloud Pak for Data System)Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047] Source: CCN Type: IBM Security Bulletin 6983274 (Cognos Command Center)IBM Cognos Command Center is affected by multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6992077 (Security Verify Information Queue)IBM Security Verify Information Queue has multiple third-party library vulnerabilities Source: CCN Type: IBM Security Bulletin 7001793 (App Connect Enterprise Toolkit)Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit Source: CCN Type: IBM Security Bulletin 7005485 (Cloud Pak for Network Automation)Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities Source: CCN Type: IBM Security Bulletin 7014939 (Cloud Pak for Watson AIOps)Multiple Vulnerabilities in CloudPak for Watson AIOps Source: CCN Type: IBM Security Bulletin 7015865 (Cloud Pak for Security)IBM Cloud Pak for Security includes components with multiple known vulnerabilities Source: CCN Type: Mend Vulnerability DatabaseCVE-2022-2047 Vulnerable Configuration: Configuration 1 :cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.0.9)OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version < 9.4.46) OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.0.9) Configuration 2 :cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:* OR cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:* OR cpe:/a:netapp:solidfire_&_hci_storage_node:-:*:*:*:*:*:*:* OR cpe:/a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:* OR cpe:/a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:10.0.0:-:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:11.0.0:-:*:*:*:*:*:* AND cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_performance_tester:9.2:*:*:*:*:*:*:* OR cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:3.4.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:2.4.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:6.0.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:* OR cpe:/a:ibm:maximo_application_suite:8.4:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:maximo_asset_management:7.6.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
eclipse jetty *
eclipse jetty *
eclipse jetty *
debian debian linux 10.0
debian debian linux 11.0
netapp snapcenter -
netapp hci compute node -
netapp solidfire & hci storage node -
netapp element plug-in for vcenter server -
netapp management services for element software and netapp hci -
eclipse jetty 9.4.0 20180619
eclipse jetty 10.0.0 -
eclipse jetty 11.0.0 -
ibm tivoli netcool/omnibus 8.1.0
ibm infosphere information server 11.7
ibm spectrum protect plus 10.1.0
ibm rational performance tester 9.2
ibm app connect 11.0.0.1
ibm sterling secure proxy 3.4.3.2
ibm sterling secure proxy 2.4.3.2
ibm cognos command center 10.2.4.1
ibm rational functional tester 9.5
ibm qradar security information and event manager 7.4 -
ibm app connect enterprise 12.0.1.0
ibm sterling secure proxy 6.0.3.0
ibm cloud pak for business automation 18.0.0
ibm cloud pak for business automation 18.0.2
ibm cloud pak for business automation 19.0.1
ibm cloud pak for business automation 19.0.3
ibm cloud pak for business automation 20.0.1
ibm cloud pak for business automation 20.0.3
ibm cloud pak for business automation 21.0.1 -
ibm cloud pak for business automation 21.0.2 -
ibm cloud pak for business automation 21.0.3 -
ibm maximo application suite 8.4
ibm security verify governance 10.0
ibm maximo asset management 7.6.1.3
ibm cloud pak for business automation 22.0.1 -
ibm cloud pak for security 1.10.0.0