CVE-2018-12545
HIGHEclipse Jetty 9.3.x-9.4.x - Denial of Service via Large or Numerous SETTINGS Frames
Title source: llmDescription
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
References (9)
Core 9
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606%40%3Cdevnull.infra.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79%40%3Cnotifications.accumulo.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2%40%3Ccommits.accumulo.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6/
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
Scores
CVSS v3
7.5
EPSS
0.0354
EPSS Percentile
87.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-770
CWE-400
Status
published
Products (26)
eclipse/jetty
9.3.0 20150601 (8 CPE variants)
eclipse/jetty
9.3.1 20150714
eclipse/jetty
9.3.2 20150730
eclipse/jetty
9.3.3 20150825 (2 CPE variants)
eclipse/jetty
9.3.4 20151005 (4 CPE variants)
eclipse/jetty
9.3.5 20151012
eclipse/jetty
9.3.6 20151106
eclipse/jetty
9.3.7 20160115 (3 CPE variants)
eclipse/jetty
9.3.8 20160311 (3 CPE variants)
eclipse/jetty
9.3.9 20160517 (3 CPE variants)
... and 16 more
Published
Mar 27, 2019
Tracked Since
Feb 18, 2026