Vulnerability Details : CVE-2022-2191
Potential exploit
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
Products affected by CVE-2022-2191
- cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-2191
0.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-2191
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Eclipse Foundation | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-2191
-
The product does not release or incorrectly releases a resource before it is made available for re-use.Assigned by:
- emo@eclipse.org (Secondary)
- nvd@nist.gov (Primary)
-
The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.Assigned by: emo@eclipse.org (Secondary)
References for CVE-2022-2191
-
https://security.netapp.com/advisory/ntap-20220909-0003/
CVE-2022-2191 Eclipse Jetty Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
SslConnection does not release pooled ByteBuffers in case of errors · Advisory · eclipse/jetty.project · GitHubExploit;Vendor Advisory
Jump to