CVE-2022-2048 (High) detected in http2-server-9.4.31.v20200723.jar

[mend-bolt-for-github[bot]]

CVE-2022-2048 - High Severity Vulnerability

Vulnerable Library - http2-server-9.4.31.v20200723.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tests/test-integration/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar

Dependency Hierarchy: - :x: **http2-server-9.4.31.v20200723.jar** (Vulnerable Library)

Found in HEAD commit: d21e42ca49dd7dfc49c40dd5e12fe263140afbdb

Found in base branch: master

Vulnerability Details

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

Publish Date: 2022-07-07

URL: CVE-2022-2048

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

Release Date: 2022-07-07

Fix Resolution: 9.4.47.v20220610

---

Step up your Open Source Security Game with Mend here