7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
49.9%
Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread.
If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response.
If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service.
A malicious client may render the server unresponsive.
The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10.
No workaround available within Jetty itself.
One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy)
If you have any questions or comments about this advisory:
www.openwall.com/lists/oss-security/2022/09/09/2
github.com/eclipse/jetty.project
github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
lists.debian.org/debian-lts-announce/2022/08/msg00011.html
nvd.nist.gov/vuln/detail/CVE-2022-2048
security.netapp.com/advisory/ntap-20220901-0006
www.debian.org/security/2022/dsa-5198
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
49.9%