Advisory GHSA-h2f4-v4c4-6wx4 - Clarification required on package impacted and versions #7094
Description
Hello,
Writing to flag some inaccuracies I found while researching : GHSA-h2f4-v4c4-6wx4 : for GA org.eclipse.jetty:jetty-server.
I found two issues with the current advisory and have raised a PR with updates here: #7093
--> Patched version for 9.3.x appears to be incorrect :
The advisory lists 9.3.25.v20180904 as a patched version for the 9.3.x range. While researching the actual fix, I traced it to a commit : jetty/jetty.project@9eca404, via PR jetty/jetty.project#2723 - Improve configurability for SETTINGS frames. Ref : jetty/jetty.project#2722
This commit introduces a maxSettingsKeys limit in SettingsBodyParser.java which directly addresses both attack vectors described in the CVE.
However, this commit only exists on the 9.4.x branch and was never backported to 9.3.x. I verified this by inspecting SettingsBodyParser.java directly on the 9.3.x branch - the maxKeys guard and DEFAULT_MAX_KEYS constant are absent across all 9.3.x versions, including 9.3.25.v20180904.
This was also independently confirmed in a bugzilla report : https://bugzilla.redhat.com/show_bug.cgi?id=1696062#c3
--> Affected package appears to be incorrect :
The advisory currently lists org.eclipse.jetty:jetty-server as the affected package. Based on the fix commit, the vulnerable code actually resides in org.eclipse.jetty.http2:http2-common (SettingsBodyParser.java). jetty-server itself contains no HTTP/2 frame parsing logic.
Would love to hear your thoughts - happy to provide any additional context if needed.
Regards,
Meet