[
https://issues.apache.org/jira/browse/TIKA-4757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Srinivasarao Daruna updated TIKA-4757:
--------------------------------------
Summary: Upgrade Jetty from 11.0.26 to 12.0.35 to fix CVE-2026-2332 (HTTP
request smuggling, CVSS 9.1) (was: [SECURITY] CVE-2026-2332: HTTP request
smuggling via Jetty jetty-http)
> Upgrade Jetty from 11.0.26 to 12.0.35 to fix CVE-2026-2332 (HTTP request
> smuggling, CVSS 9.1)
> ---------------------------------------------------------------------------------------------
>
> Key: TIKA-4757
> URL: https://issues.apache.org/jira/browse/TIKA-4757
> Project: Tika
> Issue Type: Bug
> Reporter: Srinivasarao Daruna
> Priority: Major
>
> CVE-2026-2332 (CVSS 9.1 Critical) is an HTTP/1.1 request smuggling
> vulnerability in Jetty's HTTP/1.1 chunk-extension parser. The parser
> terminates chunk-extension parsing at \r\n inside quoted strings
> instead of treating this as an error, allowing unauthenticated remote
> attackers to smuggle HTTP requests and compromise confidentiality and
> integrity (CWE-444).
> Affected versions: Jetty 11.0.0–11.0.27
> Apache Tika currently uses: 11.0.26 (vulnerable)
> Fixed in: 11.0.28 (and 12.0.33 / 12.1.7 in newer lines)
> Jetty 11.x is EOL (Nov 2024). The immediate fix is to upgrade
> jetty.version to 11.0.28. Long-term, migration to Jetty 12.1.x
> is required, which depends on:
> 1. Java version upgrade
> 2. Resolving Http2SolrClient (SolrJ 9.10.0) compatibility with
> the Jetty 12 API (InputStreamResponseListener moved from
> org.eclipse.jetty.client.util to org.eclipse.jetty.client)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
