CVE-2022-2191

CWE-404CWE-6648 documents7 sources
Severity
7.5HIGH
EPSS
0.7%
top 28.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
THE Eclipse Foundation Eclipse JettyEclipse Jetty
Timeline
PublishedJul 7
Latest updateOct 15

Description

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Mavenorg.eclipse.jetty:jetty-server10.0.010.0.10+1
CVEListV5the_eclipse_foundation/eclipse_jetty10.0.0unspecified+3
NVDeclipse/jetty10.0.010.0.9+1

🔴Vulnerability Details

4
GHSA
Jetty SslConnection does not release pooled ByteBuffers in case of errors2022-07-07
CVEList
CVE-2022-2191: In Eclipse Jetty versions 102022-07-07
OSV
Jetty SslConnection does not release pooled ByteBuffers in case of errors2022-07-07
OSV
CVE-2022-2191: In Eclipse Jetty versions 102022-07-07

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Eclipse Jetty) — CVE-2022-21912022-10-15
Red Hat
jetty-server: Improper release of ByteBuffers in SslConnections2022-07-07
Debian
CVE-2022-2191: jetty9 - In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, S...2022
CVE-2022-2191 (HIGH CVSS 7.5) | In Eclipse Jetty versions 10.0.0 th | cvebase.io