CVE-2018-12545

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Published : 2019-03-27 20:29 Updated : 2019-10-09 23:34

5.0
CVSS Score More info
Score 5.0 / 10
5.0
Vendor Product Version URI
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:20150601
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:20150608
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:20150612
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:maintenance_0
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:maintenance_1
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:maintenance_2
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:rc0
Eclipse Jetty 9.3.0 cpe:/a:eclipse:jetty:9.3.0:rc1
Eclipse Jetty 9.3.1 cpe:/a:eclipse:jetty:9.3.1:20150714
Eclipse Jetty 9.3.2 cpe:/a:eclipse:jetty:9.3.2:20150730
Eclipse Jetty 9.3.3 cpe:/a:eclipse:jetty:9.3.3:20150825
Eclipse Jetty 9.3.3 cpe:/a:eclipse:jetty:9.3.3:20150827
Eclipse Jetty 9.3.4 cpe:/a:eclipse:jetty:9.3.4:20151005
Eclipse Jetty 9.3.4 cpe:/a:eclipse:jetty:9.3.4:20151007
Eclipse Jetty 9.3.4 cpe:/a:eclipse:jetty:9.3.4:rc0
Eclipse Jetty 9.3.4 cpe:/a:eclipse:jetty:9.3.4:rc1
Eclipse Jetty 9.3.5 cpe:/a:eclipse:jetty:9.3.5:20151012
Eclipse Jetty 9.3.6 cpe:/a:eclipse:jetty:9.3.6:20151106
Eclipse Jetty 9.3.7 cpe:/a:eclipse:jetty:9.3.7:20160115
Eclipse Jetty 9.3.7 cpe:/a:eclipse:jetty:9.3.7:rc0
Eclipse Jetty 9.3.7 cpe:/a:eclipse:jetty:9.3.7:rc1
Eclipse Jetty 9.3.8 cpe:/a:eclipse:jetty:9.3.8:20160311
Eclipse Jetty 9.3.8 cpe:/a:eclipse:jetty:9.3.8:20160314
Eclipse Jetty 9.3.8 cpe:/a:eclipse:jetty:9.3.8:rc0
Eclipse Jetty 9.3.9 cpe:/a:eclipse:jetty:9.3.9:20160517
Eclipse Jetty 9.3.9 cpe:/a:eclipse:jetty:9.3.9:maintenance_0
Eclipse Jetty 9.3.9 cpe:/a:eclipse:jetty:9.3.9:maintenance_1
Eclipse Jetty 9.3.10 cpe:/a:eclipse:jetty:9.3.10:20160621
Eclipse Jetty 9.3.10 cpe:/a:eclipse:jetty:9.3.10:maintenance_0
Eclipse Jetty 9.3.11 cpe:/a:eclipse:jetty:9.3.11:20160721
Eclipse Jetty 9.3.11 cpe:/a:eclipse:jetty:9.3.11:maintenance_0
Eclipse Jetty 9.3.12 cpe:/a:eclipse:jetty:9.3.12:20160915
Eclipse Jetty 9.3.13 cpe:/a:eclipse:jetty:9.3.13:20161014
Eclipse Jetty 9.3.13 cpe:/a:eclipse:jetty:9.3.13:maintenance_0
Eclipse Jetty 9.3.14 cpe:/a:eclipse:jetty:9.3.14:20161028
Eclipse Jetty 9.3.15 cpe:/a:eclipse:jetty:9.3.15:20161220
Eclipse Jetty 9.3.16 cpe:/a:eclipse:jetty:9.3.16:20170119
Eclipse Jetty 9.3.16 cpe:/a:eclipse:jetty:9.3.16:20170120
Eclipse Jetty 9.3.17 cpe:/a:eclipse:jetty:9.3.17:20170317
Eclipse Jetty 9.3.17 cpe:/a:eclipse:jetty:9.3.17:rc0
Eclipse Jetty 9.3.18 cpe:/a:eclipse:jetty:9.3.18:20170406
Eclipse Jetty 9.3.19 cpe:/a:eclipse:jetty:9.3.19:20170502
Eclipse Jetty 9.3.20 cpe:/a:eclipse:jetty:9.3.20:20170531
Eclipse Jetty 9.3.21 cpe:/a:eclipse:jetty:9.3.21:20170918
Eclipse Jetty 9.3.21 cpe:/a:eclipse:jetty:9.3.21:maintenance_0
Eclipse Jetty 9.3.21 cpe:/a:eclipse:jetty:9.3.21:rc0
Eclipse Jetty 9.3.22 cpe:/a:eclipse:jetty:9.3.22:20171030
Eclipse Jetty 9.3.23 cpe:/a:eclipse:jetty:9.3.23:20180228
Eclipse Jetty 9.3.24 cpe:/a:eclipse:jetty:9.3.24:20180605
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:20161207
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:20161208
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:20180619
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:maintenance_0
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:maintenance_1
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc0
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc1
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc2
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc3
Eclipse Jetty 9.4.1 cpe:/a:eclipse:jetty:9.4.1:20170120
Eclipse Jetty 9.4.1 cpe:/a:eclipse:jetty:9.4.1:20180619
Eclipse Jetty 9.4.2 cpe:/a:eclipse:jetty:9.4.2:20170220
Eclipse Jetty 9.4.2 cpe:/a:eclipse:jetty:9.4.2:20180619
Eclipse Jetty 9.4.3 cpe:/a:eclipse:jetty:9.4.3:20170317
Eclipse Jetty 9.4.3 cpe:/a:eclipse:jetty:9.4.3:20180619
Eclipse Jetty 9.4.4 cpe:/a:eclipse:jetty:9.4.4:20170410
Eclipse Jetty 9.4.4 cpe:/a:eclipse:jetty:9.4.4:20170414
Eclipse Jetty 9.4.4 cpe:/a:eclipse:jetty:9.4.4:20180619
Eclipse Jetty 9.4.5 cpe:/a:eclipse:jetty:9.4.5:20170502
Eclipse Jetty 9.4.5 cpe:/a:eclipse:jetty:9.4.5:20180619
Eclipse Jetty 9.4.6 cpe:/a:eclipse:jetty:9.4.6:20170531
Eclipse Jetty 9.4.6 cpe:/a:eclipse:jetty:9.4.6:20180619
Eclipse Jetty 9.4.7 cpe:/a:eclipse:jetty:9.4.7:20170914
Eclipse Jetty 9.4.7 cpe:/a:eclipse:jetty:9.4.7:20180619
Eclipse Jetty 9.4.7 cpe:/a:eclipse:jetty:9.4.7:rc0
Eclipse Jetty 9.4.8 cpe:/a:eclipse:jetty:9.4.8:20171121
Eclipse Jetty 9.4.8 cpe:/a:eclipse:jetty:9.4.8:20180619
Eclipse Jetty 9.4.9 cpe:/a:eclipse:jetty:9.4.9:20180320
Eclipse Jetty 9.4.10 cpe:/a:eclipse:jetty:9.4.10:20180503
Eclipse Jetty 9.4.10 cpe:/a:eclipse:jetty:9.4.10:rc0
Eclipse Jetty 9.4.10 cpe:/a:eclipse:jetty:9.4.10:rc1
Eclipse Jetty 9.4.11 cpe:/a:eclipse:jetty:9.4.11:20180605
Eclipse Jetty 9.4.12 cpe:/a:eclipse:jetty:9.4.12:rc0
Eclipse Jetty 9.4.12 cpe:/a:eclipse:jetty:9.4.12:rc1
Eclipse Jetty 9.4.12 cpe:/a:eclipse:jetty:9.4.12:rc2
Fedoraproject Fedora 28 cpe:/o:fedoraproject:fedora:28
  1. Fedoraproject (1) Search CVE
    1. Fedora (1) Search CVE
      1. 28
  2. Eclipse (1) Search CVE
    1. Jetty (38) Search CVE
      1. 9.3.0
      2. 9.3.1
      3. 9.3.2
      4. 9.3.3
      5. 9.3.4
      6. 9.3.5
      7. 9.3.6
      8. 9.3.7
      9. 9.3.8
      10. 9.3.9
      11. 9.3.10
      12. 9.3.11
      13. 9.3.12
      14. 9.3.13
      15. 9.3.14
      16. 9.3.15
      17. 9.3.16
      18. 9.3.17
      19. 9.3.18
      20. 9.3.19
      21. 9.3.20
      22. 9.3.21
      23. 9.3.22
      24. 9.3.23
      25. 9.3.24
      26. 9.4.0
      27. 9.4.1
      28. 9.4.2
      29. 9.4.3
      30. 9.4.4
      31. 9.4.5
      32. 9.4.6
      33. 9.4.7
      34. 9.4.8
      35. 9.4.9
      36. 9.4.10
      37. 9.4.11
      38. 9.4.12

CWE

ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE