### Description
URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`.

A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host.
However, `HttpURI.host` returns `localhost;` which is definitely wrong.

### Impact
This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host.

### Patches
Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47.
Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10

### Workarounds
None.

### For more information
If you have any questions or comments about this advisory:
* Email us at [email protected].

Affected Packages

Maven org.eclipse.jetty:jetty-http

Affected versions: 0 (fixed in 9.4.47)

Maven org.eclipse.jetty:jetty-http

Affected versions: 10.0.0 (fixed in 10.0.10)

Maven org.eclipse.jetty:jetty-http

Affected versions: 11.0.0 (fixed in 11.0.10)

Related CVEs

CVE-2022-2047

Key Information

GHSA ID

GHSA-cj7v-27pg-wf7q

Published

July 7, 2022 8:55 PM

Last Modified

July 19, 2022 7:42 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.eclipse.jetty:jetty-http

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 24, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.