CVE-2018-12545 – org.eclipse.jetty:jetty-server

Package

Manager: maven
Name: org.eclipse.jetty:jetty-server
Vulnerable Version: >=9.4.0 <9.4.12.v20180830 || >=9.3.0 <9.3.25.v20180904

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04755 pctl0.89024

Details

Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Metadata

Created: 2019-03-28T18:33:38Z
Modified: 2022-09-17T00:33:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h2f4-v4c4-6wx4/GHSA-h2f4-v4c4-6wx4.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-h2f4-v4c4-6wx4
Finding: F067
Auto approve: 1