CVE-2022-2048

Aliases:GHSA-wgmr-mf83-7x4jBIT-jenkins-2022-2048
Advisory lineage Upstream: 0 Downstream: 7
Modified
Published: 07 Jul 2022, 20:35
Last modified:03 Aug 2024, 00:24

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
1.05% LOW
1% probability -0.24%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Jul 2022, 20:35
Published
Vulnerability first disclosed
03 Aug 2024, 00:24
Last Modified
Vulnerability information updated

Description

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 1.05% Percentile: 78%

Techniques & Countermeasures

  • CWE-410Insufficient Resource Pool

    The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

  • CWE-664Improper Control of a Resource Through its Lifetime

    The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Affected Systems

  • debiandebian_linux

    10.0 | 11.0

  • eclipsejetty

    < 9.4.47 | ≥ 10.0.0, < 10.0.9 | ≥ 11.0.0, < 11.0.9

  • UnknownJenkins

    < 2.263 | < 2.361.1

  • org.eclipse.jetty.http2http2-server

    < 9.4.47 | ≥ 10.0.0, < 10.0.10 | ≥ 11.0.0, < 11.0.10

  • netappelement_plug-in_for_vcenter_server

    na

  • netapphci_compute_node_firmware

    na

  • netappmanagement_services_for_element_software_and_netapp_hci

    na

  • netappsnapcenter

    na

  • netappsolidfire_\&_hci_storage_node

    na

  • the eclipse foundationeclipse jetty

    ≥ 9.4.0, < unspecified | ≥ unspecified, ≤ 9.4.46 | ≥ 10.0.0, < unspecified | ≥ unspecified, ≤ 10.0.9 | ≥ 11.0.0, < unspecified | ≥ unspecified, ≤ 11.0.9

References (8)