CVE-2021-28165

HIGH

Eclipse Jetty < 9.4.39 - Improper Exception Handling

Title source: rule

Description

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Exploits (1)

nomisec WRITEUP

by uthrasri · poc

https://github.com/uthrasri/CVE-2021-28165

View Code ZIP pw:eip

References (107)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/04/20/3

[Exploit, Third Party Advisory] https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

[Mailing List, Third Party Advisory] https://security.netapp.com/advisory/ntap-20210611-0006/

[Third Party Advisory] https://www.debian.org/security/2021/dsa-4949

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Not Applicable, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Mailing List] https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc%40%3Cnotifications.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad%40%3Creviews.spark.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5%40%3Creviews.spark.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7%40%3Cjira.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2%40%3Ccommits.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add%40%3Creviews.spark.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3%40%3Cjira.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42%40%3Creviews.spark.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4%40%3Cissues.hbase.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E

... and 87 more

Scores

CVSS v3 7.5

EPSS 0.1199

EPSS Percentile 93.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-755 CWE-551 CWE-400

Status published

Products (23)

eclipse/jetty 7.2.2 - 9.4.39

jenkins/jenkins < 2.277.3

jenkins/jenkins < 2.286

netapp/cloud_manager < 3.9.8

netapp/e-series_performance_analyzer < 3.0

netapp/e-series_santricity_os_controller 11.0.0 - 11.70.1

netapp/e-series_santricity_storage < 1.10

netapp/e-series_santricity_web_services < 5.1

netapp/ontap_tools < 9.10

netapp/santricity_cloud_connector

... and 13 more

Published Apr 01, 2021

Tracked Since Feb 18, 2026