7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2048

GHSA ID

GHSA-wgmr-mf83-7x4j

EPSS Score

0.77529%

CWE

CWE-400

Published

7/7/2022

Updated

7/24/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2048

CVE-2022-2048:
Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service

Description

Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service.

Impact

A malicious client may render the server unresponsive.

Patches

The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10.

Workarounds

No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy)

For more information

If you have any questions or comments about this advisory:

Email us at security@webtide.com.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2048

GHSA ID

GHSA-wgmr-mf83-7x4j

EPSS Score

0.77529%

CWE

CWE-400

Published

7/7/2022

Updated

7/24/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty.http2:http2-server	maven	< 9.4.47	9.4.47
org.eclipse.jetty.http2:http2-server	maven	>= 10.0.0, < 10.0.10	10.0.10
org.eclipse.jetty.http2:http2-server	maven	>= 11.0.0, < 11.0.10	11.0.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper threading in HTTP/2 error handling. Jetty's selector threads (non-blocking I/O threads) were directly writing blocking error responses for invalid requests. Key functions in the HTTP/2 connection/session handling stack (HTTP2ServerConnection and HTTP2Connection) trigger synchronous error writes during failure scenarios. These functions are explicitly tied to the vulnerability's root cause described in advisories: blocking operations on selector threads during error response generation. The confidence is high because the HTTP/2 server implementation's error-handling flow matches the described attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription Inv*li* *TTP/* r*qu*sts (*or *x*mpl*, inv*li* URIs) *r* in*orr**tly **n*l** *y writin* * *lo*kin* *rror r*spons* *ir**tly *rom t** s*l**tor t*r***. I* t** *li*nt m*n***s to *x**ust t** *TTP/* *low *ontrol win*ow, or T*P *on**st t** *o

Reasoning

T** vuln*r**ility st*ms *rom improp*r t*r***in* in `*TTP/*` *rror **n*lin*. J*tty's s*l**tor t*r***s (non-*lo*kin* I/O t*r***s) w*r* *ir**tly writin* *lo*kin* *rror r*spons*s *or inv*li* r*qu*sts. K*y *un*tions in t** `*TTP/*` *onn**tion/s*ssion **n*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-2048: Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service

Description

Impact

Patches

Workarounds

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-2048:
Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service

Vulnerability Intelligence
Miggo AI