search

hshivhare67 / Jetty_v9.4.31_CVE-2023-26049

Other
0 stars 0 forks source link

http2-server-9.4.31.v20200723.jar: 2 vulnerabilities (highest severity is: 7.5) - autoclosed #189

Closed mend-bolt-for-github[bot] closed 4 months ago

mend-bolt-for-github[bot] commented 4 months ago
Vulnerable Library - http2-server-9.4.31.v20200723.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-osgi/test-jetty-osgi/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (http2-server version) Remediation Possible**
CVE-2023-44487 High 7.5 http2-server-9.4.31.v20200723.jar Direct 9.4.53.v20231009
CVE-2022-2048 High 7.5 http2-server-9.4.31.v20200723.jar Direct 9.4.47.v20220610

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-44487 ### Vulnerable Library - http2-server-9.4.31.v20200723.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-osgi/test-jetty-osgi/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar

Dependency Hierarchy: - :x: **http2-server-9.4.31.v20200723.jar** (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

### Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: 9.4.53.v20231009

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-2048 ### Vulnerable Library - http2-server-9.4.31.v20200723.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-osgi/test-jetty-osgi/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/http2/http2-server/9.4.31.v20200723/http2-server-9.4.31.v20200723.jar

Dependency Hierarchy: - :x: **http2-server-9.4.31.v20200723.jar** (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

### Vulnerability Details

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

Publish Date: 2022-07-07

URL: CVE-2022-2048

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

Release Date: 2022-07-07

Fix Resolution: 9.4.47.v20220610

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.