Skip to content

[GHSA-355h-qmc2-wpwf] Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing #7421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jhy wants to merge 1 commit into
base: jhy/advisory-improvement-7421
Choose a base branch
from
Open

[GHSA-355h-qmc2-wpwf] Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing #7421

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions advisories/github-reviewed/2026/04/GHSA-355h-qmc2-wpwf/GHSA-355h-qmc2-wpwf.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-355h-qmc2-wpwf",
"modified": "2026-04-14T23:40:31Z",
"modified": "2026-04-14T23:40:32Z",
"published": "2026-04-14T23:40:31Z",
"aliases": [
"CVE-2026-2332"
Expand Down Expand Up @@ -116,14 +116,11 @@
"introduced": "9.4.0"
},
{
"fixed": "9.4.60"
"last_affected": "9.4.59"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "<= 9.4.59"
}
]
Comment on lines 116 to +123
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description notes Jetty 9’s latest release is 9.4.58... (EOL), but the advisory now marks last_affected as 9.4.59. Please reconcile this by setting last_affected to the actual last released vulnerable version (or using the project’s exact version string convention, e.g., including the .vYYYYMMDD suffix if that’s what consumers expect) so the affected range doesn’t reference a version that may not exist.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing database_specific.last_known_affected_version_range may be a breaking change for downstream consumers/tools that rely on that field (even if the same information is representable via events). If this repo’s advisories commonly include last_known_affected_version_range, consider keeping database_specific and updating it to match the new representation to preserve compatibility.

Suggested change
]
],
"database_specific": {
"last_known_affected_version_range": "<= 9.4.59"
}

Copilot uses AI. Check for mistakes.
}
],
"references": [
Expand Down
Loading