CVE-2022-2048: Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77529%
CWE
Published
7/7/2022
Updated
7/24/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.eclipse.jetty.http2:http2-server | maven | < 9.4.47 | 9.4.47 |
org.eclipse.jetty.http2:http2-server | maven | >= 10.0.0, < 10.0.10 | 10.0.10 |
org.eclipse.jetty.http2:http2-server | maven | >= 11.0.0, < 11.0.10 | 11.0.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper threading in HTTP/2
error handling. Jetty's selector threads (non-blocking I/O threads) were directly writing blocking error responses for invalid requests. Key functions in the HTTP/2
connection/session handling stack (HTTP2ServerConnection
and HTTP2Connection
) trigger synchronous error writes during failure scenarios. These functions are explicitly tied to the vulnerability's root cause described in advisories: blocking operations on selector threads during error response generation. The confidence is high because the HTTP/2
server implementation's error-handling flow matches the described attack vector.