CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-2191 – jetty-server: Improper release of ByteBuffers in SslConnections
https://notcve.org/view.php?id=CVE-2022-2191
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. En Eclipse Jetty versiones 10.0.0 hasta 10.0.9, y 11.0.0 hasta 11.0.9, SslConnection no libera ByteBuffers del ByteBufferPool configurado en caso de rutas con código de error A flaw was found in the Jetty-server package. This flaw allows an attacker to send invalid requests, causing a denial of service in the Jetty Server. • https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28 https://security.netapp.com/advisory/ntap-20220909-0003 https://access.redhat.com/security/cve/CVE-2022-2191 https://bugzilla.redhat.com/show_bug.cgi?id=2116953 • CWE-404: Improper Resource Shutdown or Release CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 4.0EPSS: 0%CPEs: 10EXPL: 0CVE-2022-2047 – jetty-http: improver hostname input handling
https://notcve.org/view.php?id=CVE-2022-2047
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. En Eclipse Jetty versiones 9.4.0 hasta 9.4.46, y 10.0.0 hasta 10.0.9, y 11.0.0 hasta 11.0.9, el análisis sintáctico del segmento de autoridad de un URI de esquema http, la clase Jetty HttpURI detecta inapropiadamente una entrada no válida como nombre de host. Esto puede conllevar a fallos en un escenario Proxy A flaw was found in Eclipse Jetty. When parsing the authority segment of an HTTP scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. • https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html https://security.netapp.com/advisory/ntap-20220901-0006 https://www.debian.org/security/2022/dsa-5198 https://access.redhat.com/security/cve/CVE-2022-2047 https://bugzilla.redhat.com/show_bug.cgi?id=2116949 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-2048 – http2-server: Invalid HTTP/2 requests cause DoS
https://notcve.org/view.php?id=CVE-2022-2048
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. En la implementación del servidor Eclipse Jetty HTTP/2, cuando es encontrada una petición HTTP/2 no válida, el manejo de errores presenta un error que puede terminar por no limpiar apropiadamente las conexiones activas y los recursos asociados. Esto puede conllevar a un escenario de denegación de servicio en el que no queden recursos suficientes para procesar las peticiones buenas A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests. • http://www.openwall.com/lists/oss-security/2022/09/09/2 https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html https://security.netapp.com/advisory/ntap-20220901-0006 https://www.debian.org/security/2022/dsa-5198 https://access.redhat.com/security/cve/CVE-2022-2048 https://bugzilla.redhat.com/show_bug.cgi?id=2116952 • CWE-410: Insufficient Resource Pool CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38443 – Eclipse CycloneDDS Improper Handling of Syntactically Invalid Structure
https://notcve.org/view.php?id=CVE-2021-38443
Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. Eclipse CycloneDDS versiones anteriores a 0.8.0, manejan inapropiadamente las estructuras no válidas, lo que puede permitir a un atacante escribir valores arbitrarios en el analizador XML • https://projects.eclipse.org/projects/iot.cyclonedds https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02 • CWE-228: Improper Handling of Syntactically Invalid Structure •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38441 – Eclipse CycloneDDS Write-what-where Condition
https://notcve.org/view.php?id=CVE-2021-38441
Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. Eclipse CycloneDDS versiones anteriores a 0.8.0, son vulnerables a una condición de escritura en cualquier lugar, lo que puede permitir a un atacante escribir valores arbitrarios en el analizador XML • https://projects.eclipse.org/projects/iot.cyclonedds https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02 • CWE-123: Write-what-where Condition •