Описание
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.
This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.
In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the server's response is not compressed. This prevents the release of the JDK Inflater, leading to a resource leak. This resource exhaustion can result in a Denial of Service (DoS), making the server unavailable to legitimate users.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | jenkins | Affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel9 | Affected | ||
| Red Hat AMQ Broker 7 | jetty-server | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | jetty-server | Not affected | ||
| Red Hat build of Apache Camel - HawtIO 4 | jetty-server | Affected | ||
| Red Hat build of Apicurio Registry 2 | jetty-server | Not affected | ||
| Red Hat build of Apicurio Registry 3 | jetty-server | Not affected | ||
| Red Hat build of Debezium 2 | jetty-server | Not affected | ||
| Red Hat build of Debezium 3 | jetty-server | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class Gzi ...
The Eclipse Jetty Server Artifact has a Gzip request memory leak
EPSS
7.5 High
CVSS3