While these were fixed in the Jetty versions 11.0.10, 10.0.10, and 9.4.47.
11.0.11, or 10.0.11, or 9.4.48
CVE-2022-2191 : SslConnection does not release pooled ByteBuffers in case of errors
Severity (High) 7.5 / 10
https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28 Affected Jetty versions: <=10.0.9, <=11.0.9
Patched Jetty versions: 10.0.11, 11.0.11
Reported on: June 1, 2022
Reported by: @haveitisyan
Opened on: June 14, 2022
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-404 : Improper Resource Shutdown or Release
CWE-664 : Improper Control of Resource through its Lifetime
Patch:
https://github.com/eclipse/jetty.project/pull/8165CVE-2022-2047 : Invalid URI parsing may produce invalid HttpURI.authority
Severity (Low) 2.7 / 10
https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q Affected Jetty versions: <=9.4.46, <=10.0.9, <=11.0.9
Patched Jetty versions: 9.4.48, 10.0.11, 11.0.11
Reported by: @rafax00
Reported on: May 12, 2022
Opened on: May 17, 2022
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CWE-20 : Improper Input Validation
Patch:
https://github.com/eclipse/jetty.project/pull/8146CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service
Severity (High) 7.5 / 10
https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j Affected Jetty versions: <=9.4.46, <=10.0.9, <=11.0.9
Patched Jetty versions: 9.4.48, 10.0.11, 11.0.11
Reported by: @bjorncs, @hakonhall
Reported on: Apr 22, 2022
Opened on: Apr 22, 2022
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-410 : Insufficient Resource Pool
CWE-664 : Improper Control of Resource through its Lifetime
Patch:
https://github.com/eclipse/jetty.project/pull/7938