CVE-2018-12545 — Uncontrolled Resource Consumption in Eclipse Foundation Eclipse Jetty

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling9 documents7 sources

Severity

7.5HIGHNVD

EPSS

3.0%

top 13.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Jetty Eclipse Jetty Fedoraproject Fedora

Timeline

PublishedMar 27

Latest updateApr 4

Description

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5the_eclipse_foundation/eclipse_jetty9.3.0 — unspecified+1

▶NVDeclipse/jetty38 versions+37

Also affects: Fedora 28

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server↗2019-03-28

▶

GHSA

Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server↗2019-03-28

▶

OSV

CVE-2018-12545: In Eclipse Jetty version 9↗2019-03-27

▶

CVEList

CVE-2018-12545: In Eclipse Jetty version 9↗2019-03-27

▶

📋Vendor Advisories

Red Hat

jetty: large settings frames causing denial of service↗2019-03-20

▶

Debian

CVE-2018-12545: jetty9 - In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of ...↗2018

▶

💬Community

Bugzilla

CVE-2018-12545 jetty: large settings frames causing denial of service [fedora-all]↗2019-04-04

▶

Bugzilla

CVE-2018-12545 jetty: large settings frames causing denial of service↗2019-04-04

▶