CVE-2018-12545

HIGH

Eclipse Jetty 9.3.x-9.4.x - Denial of Service via Large or Numerous SETTINGS Frames

Title source: llm
STIX 2.1

Description

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Scores

CVSS v3 7.5
EPSS 0.0508
EPSS Percentile 91.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400 CWE-770
Status published
Products (26)
eclipse/jetty 9.3.0 20150601 (8 CPE variants)
eclipse/jetty 9.3.1 20150714
eclipse/jetty 9.3.2 20150730
eclipse/jetty 9.3.3 20150825 (2 CPE variants)
eclipse/jetty 9.3.4 20151005 (4 CPE variants)
eclipse/jetty 9.3.5 20151012
eclipse/jetty 9.3.6 20151106
eclipse/jetty 9.3.7 20160115 (3 CPE variants)
eclipse/jetty 9.3.8 20160311 (3 CPE variants)
eclipse/jetty 9.3.9 20160517 (3 CPE variants)
... and 16 more
Published Mar 27, 2019
Tracked Since Feb 18, 2026