CVE-2022-2048

A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests...

Debian DSA-5198-1 : jetty9 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5198 advisory. Two security vulnerabilities were discovered in Jetty, a Java servlet engine and webserver. CVE-2022-2047 In Eclipse Jetty the parsing of the authority segment of...

GO-2022-0536 Reset flood in net/http and golang.org/x/net/http

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of stream...

GO-2022-0288 Unbounded memory growth in net/http and golang.org/x/net/http2

An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests...

Amazon Linux 2 : golang (ALAS-2022-1811)

The version of golang installed on the remote host is prior to 1.16.15-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1811 advisory. An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with...

Eclipse Jetty Multiple Vulnerabilities (Jul 2022) - Linux

Eclipse Jetty is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:eclipse:jetty"; ifdescription...

CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...

CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...

CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...

Design/Logic Flaw

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...

Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service

Description Invalid HTTP/2 requests for example, invalid URIs are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying ...

CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...

CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...

CVE-2022-2048

CVE-2022-2048 concerns the Eclipse Jetty HTTP/2 server. The bug occurs when handling an invalid HTTP/2 request, where the error path fails to properly clean up active connections and associated resources. This can lead to a denial of service due to resource exhaustion, rendering the server unable...

CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources lef...

Security Bulletin: IBM DataPower Operator potentially vulnerable to Denial of Service (CVE-2021-44716)

Summary IBM has addressed the CVE Vulnerability Details CVEID: CVE-2021-44716 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit thi...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Varnish Cache vulnerabilities (USN-5474-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5474-1 advisory. It was dicovered that Varnish Cache did not clear a pointer between the handling of one client request and the next request withi...

curl: Heap overflow via HTTP/2 PUSH_PROMISE

Summary: libcurl HTTP/2 support processes incoming PUSHPROMISE headers by storing them in an array. The code initially allocates storage for 10 headers and then keeps doubling the array size as needed: stream-pushheadersalloc = 2; headp = Curlsafereallocstream-pushheaders, stream-pushheadersalloc...

nginx R8 < R18-P1 Multiple Vulnerabilities

According to it's self reported version, the installed version of Nginx Plus is R8 built on Open Source version 1.9.9 prior to R18-P1 built on Open Source version 1.15.10. It is, therefore, affected by multiple denial of service vulnerabilities : - A denial of service vulnerability exists in the...

openSUSE 15 Security Update : varnish (openSUSE-SU-2022:0148-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0148-1 advisory. - Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST...