CVE-2022-2048

Uncontrolled Resource Consumption in maven/org.eclipse.jetty.http2/http2-server

Identifiers

GHSA-wgmr-mf83-7x4j, CVE-2022-2048

Package Slug

maven/org.eclipse.jetty.http2/http2-server

Vulnerability

Uncontrolled Resource Consumption

Description

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

Affected Versions

All versions before 9.4.47, all versions starting from 10.0.0 before 10.0.10, all versions starting from 11.0.0 before 11.0.10

Solution

Upgrade to versions 9.4.47, 10.0.10, 11.0.10 or above.

Last Modified

2022-07-26

source