CVE-2021-28165 (High) detected in jetty-io-9.4.17.v20190418.jar

Question

CVE-2021-28165 (High) detected in jetty-io-9.4.17.v20190418.jar

Opened this issue 2 years ago · 0 comments

mend-bolt-for-github commented 2 years ago

CVE-2021-28165 - High Severity Vulnerability

Vulnerable Library - jetty-io-9.4.17.v20190418.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.17.v20190418/jetty-io-9.4.17.v20190418.jar

Dependency Hierarchy:

jetty-server-9.4.17.v20190418.jar (Root Library)
- ❌ jetty-io-9.4.17.v20190418.jar (Vulnerable Library)

Found in HEAD commit: 7baeabef941f276d373d889506fe0a0cf89f4ee6

Found in base branch: master

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution (org.eclipse.jetty:jetty-io): 9.4.39.v20210325

Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 9.4.35.v20201120

Step up your Open Source Security Game with Mend here