CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
76.5%
A flaw was found in Jetty http2-hpack and http3-qpack. If header values exceed the size limit and Huffman is the trueMetaDataBuilder.checkSize
, the multiplication will overflow, and the length will become negative, causing a large buffer allocation on the server, leading to a Denial of Service (DoS) attack.
No mitigations are currently available for this vulnerability.
bugzilla.redhat.com/show_bug.cgi?id=2243123
github.com/eclipse/jetty.project/pull/9634
github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16
github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16
github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r
nvd.nist.gov/vuln/detail/CVE-2023-36478
www.cve.org/CVERecord?id=CVE-2023-36478