Strix
26.1K

CVE-2018-12545

HIGHCVSS 7.5/10EPSS 5.08%

Last modified

CVE-2018-12545 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.. EPSS estimates a 5.08% chance of exploitation in the next 30 days.

Description

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
5.08%

91.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
EclipseJetty9.3.020150601
EclipseJetty9.3.120150714
EclipseJetty9.3.220150730
EclipseJetty9.3.320150825
EclipseJetty9.3.420151005
EclipseJetty9.3.520151012
EclipseJetty9.3.620151106
EclipseJetty9.3.720160115
EclipseJetty9.3.820160311
EclipseJetty9.3.920160517
EclipseJetty9.3.1020160621
EclipseJetty9.3.1120160721
EclipseJetty9.3.1220160915
EclipseJetty9.3.1320161014
EclipseJetty9.3.1420161028
EclipseJetty9.3.1520161220
EclipseJetty9.3.1620170119
EclipseJetty9.3.1720170317
EclipseJetty9.3.1820170406
EclipseJetty9.3.1920170502
EclipseJetty9.3.2020170531
EclipseJetty9.3.2120170918
EclipseJetty9.3.2220171030
EclipseJetty9.3.2320180228
EclipseJetty9.3.2420180605
EclipseJetty9.4.020161207
EclipseJetty9.4.120170120
EclipseJetty9.4.220170220
EclipseJetty9.4.320170317
EclipseJetty9.4.420170410
EclipseJetty9.4.520170502
EclipseJetty9.4.620170531
EclipseJetty9.4.720170914
EclipseJetty9.4.820171121
EclipseJetty9.4.920180320
EclipseJetty9.4.1020180503
EclipseJetty9.4.1120180605
EclipseJetty9.4.12Rc0
FedoraprojectFedora28

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2018-12545?
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
How severe is CVE-2018-12545?
CVE-2018-12545 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 5.08% probability of exploitation in the next 30 days.
How do I fix CVE-2018-12545?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-12545?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST