Skip to content

[🍒][PLUGIN-1934]: Fix CVEs in jetty-http 9.4.12.v20180830 #349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Krish-cloudsufi wants to merge 1 commit into
base: release/1.7
Choose a base branch
from
Open

[🍒][PLUGIN-1934]: Fix CVEs in jetty-http 9.4.12.v20180830 #349

Krish-cloudsufi wants to merge 1 commit into from

Conversation

@Krish-cloudsufi
Copy link
Contributor

@Krish-cloudsufi Krish-cloudsufi commented Dec 30, 2025
edited
Loading

[🍒]

🍒 [cherrypick]

Commits:

PR:

Description:

PLUGIN-1934: This PR upgrades the Jetty HTTP dependency to address an issue where Jetty accepted a '+' character preceding the Content-Length value in HTTP/1 headers. This behavior was more permissive than allowed by the RFC and could potentially lead to HTTP request smuggling when Jetty is used alongside servers that strictly validate such headers (e.g., NGINX, Apache).

Fix: Upgraded the Jetty HTTP dependency from version 9.4.12.v20180830 to 9.4.52.v20230823, where strict validation of the Content-Length header is enforced and the issue is resolved.

CVE Fix Verification: https://screenshot.googleplex.com/7RjXpjeSc7rx4zr

Pipeline Run: https://screenshot.googleplex.com/AcYid2CdAbnhkeK

JIRA: PLUGIN-1934

@Krish-cloudsufi Krish-cloudsufi changed the title Jetty-http upgrade from 9.4.12 to 9.4.52 [🍒][PLUGIN-1934]: Fix CVEs in jetty-http 9.4.12.v20180830 Dec 30, 2025
@anup-cloudsufi
Copy link

anup-cloudsufi commented Dec 31, 2025

LGTM.

MrRahulSharma
MrRahulSharma reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

@MrRahulSharma MrRahulSharma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add details in the description about the validations performed with this change ?

@Krish-cloudsufi
Copy link
Contributor Author

Krish-cloudsufi commented Jan 2, 2026

Can you add details in the description about the validations performed with this change ?

Added details of the validations performed, including Pipeline run link and CVE verification link, in the description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikasrathee-cs vikasrathee-cs Awaiting requested review from vikasrathee-cs

@sgarg-CS sgarg-CS Awaiting requested review from sgarg-CS

@anup-cloudsufi anup-cloudsufi Awaiting requested review from anup-cloudsufi

@MrRahulSharma MrRahulSharma Awaiting requested review from MrRahulSharma

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Krish-cloudsufi @anup-cloudsufi @MrRahulSharma