Miggo Logo

CVE-2022-2048: Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.77529%
Published
7/7/2022
Updated
7/24/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.eclipse.jetty.http2:http2-servermaven< 9.4.479.4.47
org.eclipse.jetty.http2:http2-servermaven>= 10.0.0, < 10.0.1010.0.10
org.eclipse.jetty.http2:http2-servermaven>= 11.0.0, < 11.0.1011.0.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper threading in HTTP/2 error handling. Jetty's selector threads (non-blocking I/O threads) were directly writing blocking error responses for invalid requests. Key functions in the HTTP/2 connection/session handling stack (HTTP2ServerConnection and HTTP2Connection) trigger synchronous error writes during failure scenarios. These functions are explicitly tied to the vulnerability's root cause described in advisories: blocking operations on selector threads during error response generation. The confidence is high because the HTTP/2 server implementation's error-handling flow matches the described attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription Inv*li* *TTP/* r*qu*sts (*or *x*mpl*, inv*li* URIs) *r* in*orr**tly **n*l** *y writin* * *lo*kin* *rror r*spons* *ir**tly *rom t** s*l**tor t*r***. I* t** *li*nt m*n***s to *x**ust t** *TTP/* *low *ontrol win*ow, or T*P *on**st t** *o

Reasoning

T** vuln*r**ility st*ms *rom improp*r t*r***in* in `*TTP/*` *rror **n*lin*. J*tty's s*l**tor t*r***s (non-*lo*kin* I/O t*r***s) w*r* *ir**tly writin* *lo*kin* *rror r*spons*s *or inv*li* r*qu*sts. K*y *un*tions in t** `*TTP/*` *onn**tion/s*ssion **n*