CVE-2018-12545

EPSS 6.28%
Veröffentlicht 27.03.2019 20:29:03
Zuletzt bearbeitet 21.11.2024 03:45:24
Quelle emo@eclipse.org
Teams Watchlist Login
Unerledigt Login

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version9.3.0 Update20150601

Eclipse ≫ Jetty Version9.3.0 Update20150608

Eclipse ≫ Jetty Version9.3.0 Update20150612

Eclipse ≫ Jetty Version9.3.0 Updatemaintenance0

Eclipse ≫ Jetty Version9.3.0 Updatemaintenance1

Eclipse ≫ Jetty Version9.3.0 Updatemaintenance2

Eclipse ≫ Jetty Version9.3.0 Updaterc0

Eclipse ≫ Jetty Version9.3.0 Updaterc1

Eclipse ≫ Jetty Version9.3.1 Update20150714

Eclipse ≫ Jetty Version9.3.2 Update20150730

Eclipse ≫ Jetty Version9.3.3 Update20150825

Eclipse ≫ Jetty Version9.3.3 Update20150827

Eclipse ≫ Jetty Version9.3.4 Update20151005

Eclipse ≫ Jetty Version9.3.4 Update20151007

Eclipse ≫ Jetty Version9.3.4 Updaterc0

Eclipse ≫ Jetty Version9.3.4 Updaterc1

Eclipse ≫ Jetty Version9.3.5 Update20151012

Eclipse ≫ Jetty Version9.3.6 Update20151106

Eclipse ≫ Jetty Version9.3.7 Update20160115

Eclipse ≫ Jetty Version9.3.7 Updaterc0

Eclipse ≫ Jetty Version9.3.7 Updaterc1

Eclipse ≫ Jetty Version9.3.8 Update20160311

Eclipse ≫ Jetty Version9.3.8 Update20160314

Eclipse ≫ Jetty Version9.3.8 Updaterc0

Eclipse ≫ Jetty Version9.3.9 Update20160517

Eclipse ≫ Jetty Version9.3.9 Updatemaintenance_0

Eclipse ≫ Jetty Version9.3.9 Updatemaintenance_1

Eclipse ≫ Jetty Version9.3.10 Update20160621

Eclipse ≫ Jetty Version9.3.10 Updatemaintenance_0

Eclipse ≫ Jetty Version9.3.11 Update20160721

Eclipse ≫ Jetty Version9.3.11 Updatemaintenance_0

Eclipse ≫ Jetty Version9.3.12 Update20160915

Eclipse ≫ Jetty Version9.3.13 Update20161014

Eclipse ≫ Jetty Version9.3.13 Updatemaintenance_0

Eclipse ≫ Jetty Version9.3.14 Update20161028

Eclipse ≫ Jetty Version9.3.15 Update20161220

Eclipse ≫ Jetty Version9.3.16 Update20170119

Eclipse ≫ Jetty Version9.3.16 Update20170120

Eclipse ≫ Jetty Version9.3.17 Update20170317

Eclipse ≫ Jetty Version9.3.17 Updaterc0

Eclipse ≫ Jetty Version9.3.18 Update20170406

Eclipse ≫ Jetty Version9.3.19 Update20170502

Eclipse ≫ Jetty Version9.3.20 Update20170531

Eclipse ≫ Jetty Version9.3.21 Update20170918

Eclipse ≫ Jetty Version9.3.21 Updatemaintenance_0

Eclipse ≫ Jetty Version9.3.21 Updaterc0

Eclipse ≫ Jetty Version9.3.22 Update20171030

Eclipse ≫ Jetty Version9.3.23 Update20180228

Eclipse ≫ Jetty Version9.3.24 Update20180605

Eclipse ≫ Jetty Version9.4.0 Update20161207

Eclipse ≫ Jetty Version9.4.0 Update20161208

Eclipse ≫ Jetty Version9.4.0 Update20180619

Eclipse ≫ Jetty Version9.4.0 Updatemaintenance_0

Eclipse ≫ Jetty Version9.4.0 Updatemaintenance_1

Eclipse ≫ Jetty Version9.4.0 Updaterc0

Eclipse ≫ Jetty Version9.4.0 Updaterc1

Eclipse ≫ Jetty Version9.4.0 Updaterc2

Eclipse ≫ Jetty Version9.4.0 Updaterc3

Eclipse ≫ Jetty Version9.4.1 Update20170120

Eclipse ≫ Jetty Version9.4.1 Update20180619

Eclipse ≫ Jetty Version9.4.2 Update20170220

Eclipse ≫ Jetty Version9.4.2 Update20180619

Eclipse ≫ Jetty Version9.4.3 Update20170317

Eclipse ≫ Jetty Version9.4.3 Update20180619

Eclipse ≫ Jetty Version9.4.4 Update20170410

Eclipse ≫ Jetty Version9.4.4 Update20170414

Eclipse ≫ Jetty Version9.4.4 Update20180619

Eclipse ≫ Jetty Version9.4.5 Update20170502

Eclipse ≫ Jetty Version9.4.5 Update20180619

Eclipse ≫ Jetty Version9.4.6 Update20170531

Eclipse ≫ Jetty Version9.4.6 Update20180619

Eclipse ≫ Jetty Version9.4.7 Update20170914

Eclipse ≫ Jetty Version9.4.7 Update20180619

Eclipse ≫ Jetty Version9.4.7 Updaterc0

Eclipse ≫ Jetty Version9.4.8 Update20171121

Eclipse ≫ Jetty Version9.4.8 Update20180619

Eclipse ≫ Jetty Version9.4.9 Update20180320

Eclipse ≫ Jetty Version9.4.10 Update20180503

Eclipse ≫ Jetty Version9.4.10 Updaterc0

Eclipse ≫ Jetty Version9.4.10 Updaterc1

Eclipse ≫ Jetty Version9.4.11 Update20180605

Eclipse ≫ Jetty Version9.4.12 Updaterc0

Eclipse ≫ Jetty Version9.4.12 Updaterc1

Eclipse ≫ Jetty Version9.4.12 Updaterc2

Fedoraproject ≫ Fedora Version28

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.28%	0.906

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Patch

Third Party Advisory

https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096

Vendor Advisory

Issue Tracking

https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2%40%3Ccommits.accumulo.apache.org%3E

https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606%40%3Cdevnull.infra.apache.org%3E