Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-announce] Eclipse Jetty Three Security Advisories - July 2022

The Eclipse Jetty project is announcing 3 Security Vulnerabilities for
The Eclipse Jetty Server and Eclipse Jetty Client projects.

While these were fixed in the Jetty versions 11.0.10, 10.0.10, and 9.4.47.
There's been another release after that, so all are encouraged to upgrade to
11.0.11, or 10.0.11, or 9.4.48

CVE-2022-2191 : SslConnection does not release pooled ByteBuffers in case of errors
   Severity (High) 7.5 / 10
   https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
   Affected Jetty versions: <=10.0.9, <=11.0.9
   Patched Jetty versions: 10.0.11, 11.0.11
   Reported on: June 1, 2022
   Reported by: @haveitisyan
   Opened on: June 14, 2022
   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CWE-404 : Improper Resource Shutdown or Release
   CWE-664 : Improper Control of Resource through its Lifetime
   Patch: https://github.com/eclipse/jetty.project/pull/8165


CVE-2022-2047 : Invalid URI parsing may produce invalid HttpURI.authority
   Severity (Low) 2.7 / 10
   https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
   Affected Jetty versions: <=9.4.46, <=10.0.9, <=11.0.9
   Patched Jetty versions: 9.4.48, 10.0.11, 11.0.11
   Reported by: @rafax00
   Reported on: May 12, 2022
   Opened on: May 17, 2022
   CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
   CWE-20 : Improper Input Validation
   Patch: https://github.com/eclipse/jetty.project/pull/8146


CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service
   Severity (High) 7.5 / 10
   https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
   Affected Jetty versions: <=9.4.46, <=10.0.9, <=11.0.9
   Patched Jetty versions: 9.4.48, 10.0.11, 11.0.11
   Reported by: @bjorncs, @hakonhall
   Reported on: Apr 22, 2022
   Opened on: Apr 22, 2022
   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CWE-410 : Insufficient Resource Pool
   CWE-664 : Improper Control of Resource through its Lifetime
   Patch: https://github.com/eclipse/jetty.project/pull/7938


Joakim Erdfelt / joakim@xxxxxxxxxxx

Back to the top