Veracode Vulnerability DatabaseVERACODE:43778Denial Of Service (DoS)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
76.5%
org.eclipse.jetty is vulnerable to Denial Of Service (DoS). The vulnerability arises from the library’s failure to appropriately limit the size in HPACK header values. This allows an attacker to repeatedly send maliciously crafted HTTP messages, leading to an integer overflow and ultimately causing an application crash through the checkSize function in MetaDataBuilder.java.
References
www.openwall.com/lists/oss-security/2023/10/18/4
github.com/advisories/GHSA-wgh7-54f2-x98r
github.com/eclipse/jetty.project/commit/c3b6b47915458199f39b08d542669d31fddb8901
github.com/eclipse/jetty.project/commit/c3b6b47915458199f39b08d542669d31fddb8901
github.com/eclipse/jetty.project/commit/c7a4b05fc735e73e7522cb617c079045b709957b
github.com/eclipse/jetty.project/pull/9634
github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16
github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16
github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r
lists.debian.org/debian-lts-announce/2023/10/msg00045.html
security.netapp.com/advisory/ntap-20231116-0011/
security.netapp.com/advisory/ntap-20240621-0006/
www.debian.org/security/2023/dsa-5540
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
76.5%