Denial of Service Vulnerability in Eclipse Jetty Server
CVE-2018-12545

7.5HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 27 March 2019

What is CVE-2018-12545?

Eclipse Jetty versions 9.3.x and 9.4.x are susceptible to Denial of Service attacks when a remote client sends excessively large SETTINGS frames or multiple small SETTINGS frames. The vulnerability arises from the server's increased CPU and memory demand to accommodate these frame modifications, potentially leading to resource exhaustion and service unavailability.

Affected Version(s)

Eclipse Jetty 9.3.0

Eclipse Jetty < 9.4.12

References

https://lists.apache.org/thread.html/70744fe4faba8e2fa7e5...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/febc94ffec9275dcda64...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/13f5241048ec0bf966a6...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2019
Vulnerability Reserved
Jun 18, 2018

The Eclipse Foundation

What is CVE-2018-12545?

Affected Version(s)

References

CVSS V3.1

Timeline