CVE-2018-12545 — Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server

Description

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

How to fix CVE-2018-12545

To remediate CVE-2018-12545, upgrade the affected package to a fixed version below.

—upgrade to 9.4.12.v20180830 or later

Is CVE-2018-12545 being exploited?

Low — EPSS is 3.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 9.4.0, < 9.4.12.v20180830

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (11)

ADVISORYgithub.com/advisories/GHSA-h2f4-v4c4-6wx4
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-12545
WEBbugs.eclipse.org/bugs/show_bug.cgi?id=538096
WEBlists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E