CVE-2022-2048 — Insufficient Resource Pool in Eclipse Foundation Eclipse Jetty

CWE-410 — Insufficient Resource Pool CWE-664 — Improper Control of a Resource Through its Lifetime CWE-400 — Uncontrolled Resource Consumption CWE-401 — Missing Release of Memory after Effective Lifetime CWE-772 — Missing Release of Resource after Effective Lifetime CWE-476 — NULL Pointer Dereference CWE-787 — Out-of-bounds Write CWE-122 — Heap-based Buffer Overflow31 documents9 sources

Severity

7.5HIGHNVD

EPSS

1.3%

top 20.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Jetty Eclipse Jetty Jenkins +1 more

Timeline

PublishedJul 7

Latest updateDec 24

Description

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDeclipse/jetty10.0.0 — 10.0.9+2

▶CVEListV5the_eclipse_foundation/eclipse_jetty9.4.0 — unspecified+5

▶NVDjenkins/jenkins< 2.263+1

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

OSV

scsi: efct: Fix possible memleak in efct_device_init()↗2025-12-24

▶

OSV

powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()↗2025-12-09

▶

OSV

CVE-2022-2048: In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly↗2022-07-07

▶

OSV

Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service↗2022-07-07

▶

GHSA

Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service↗2022-07-07

▶

📋Vendor Advisories

Red Hat

kernel: scsi: efct: Fix possible memleak in efct_device_init()↗2025-12-24

▶

Red Hat

kernel: r6040: Fix kmemleak in probe and remove↗2025-10-07

▶

Red Hat

kernel: rtc: class: Fix potential memleak in devm_rtc_allocate_device()↗2025-10-04

▶

Red Hat

kernel: orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()↗2025-09-18

▶

Red Hat

kernel: bpf: Fix memory leaks in __check_func_call↗2025-05-01

▶