[jetty-users] Eclipse Jetty Three Security Advisories - July 2022

Thu, 07 Jul 2022 16:02:10 -0700 

The Eclipse Jetty project is announcing 3 Security Vulnerabilities for
The Eclipse Jetty Server and Eclipse Jetty Client projects.

While these were fixed in the Jetty versions 11.0.10, 10.0.10, and 9.4.47.
There's been another release after that, so all are encouraged to upgrade to
11.0.11, or 10.0.11, or 9.4.48

CVE-2022-2191 : SslConnection does not release pooled ByteBuffers in case
of errors
   Severity (High) 7.5 / 10

https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
   Affected Jetty versions: <=10.0.9, <=11.0.9
   Patched Jetty versions: 10.0.11, 11.0.11
   Reported on: June 1, 2022
   Reported by: @haveitisyan
   Opened on: June 14, 2022
   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CWE-404 : Improper Resource Shutdown or Release
   CWE-664 : Improper Control of Resource through its Lifetime
   Patch: https://github.com/eclipse/jetty.project/pull/8165


CVE-2022-2047 : Invalid URI parsing may produce invalid HttpURI.authority
   Severity (Low) 2.7 / 10

https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
   Affected Jetty versions: <=9.4.46, <=10.0.9, <=11.0.9
   Patched Jetty versions: 9.4.48, 10.0.11, 11.0.11
   Reported by: @rafax00
   Reported on: May 12, 2022
   Opened on: May 17, 2022
   CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
   CWE-20 : Improper Input Validation
   Patch: https://github.com/eclipse/jetty.project/pull/8146


CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service
   Severity (High) 7.5 / 10

https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
   Affected Jetty versions: <=9.4.46, <=10.0.9, <=11.0.9
   Patched Jetty versions: 9.4.48, 10.0.11, 11.0.11
   Reported by: @bjorncs, @hakonhall
   Reported on: Apr 22, 2022
   Opened on: Apr 22, 2022
   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CWE-410 : Insufficient Resource Pool
   CWE-664 : Improper Control of Resource through its Lifetime
   Patch: https://github.com/eclipse/jetty.project/pull/7938


Joakim Erdfelt / joa...@webtide.com

_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to