Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <kqi2nuwafj3rm6e3xykryy5norff6q25qeoogw4ida32uveduo@t7loixt57w25>
Date: Fri, 9 May 2025 12:36:56 +0300
From: Valtteri Vuorikoski <vuori@...com.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-1948 & CVE-2024-13009: DoS and infoleak in Jetty

The Jetty project [1] has announced two security issues classified as "high": a
memory exhaustion issue with crafted HTTP/2 requests (12.x series, fixed in
12.0.17) as CVE-2025-1948, and a cross-request data corruption issue with
potential information leakage when gzip compression is enabled (9.4.x, fixed in
9.4.57, security patch to an otherwise EoL release) as CVE-2024-13009.

CVE-2025-1948 details: <https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8>

CVE-2024-13009 details: <https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5>

[1] Description from project README: "Eclipse Jetty is a lightweight, highly
scalable, Java-based web server and Servlet engine. Jetty's goal is to support
web protocols (HTTP/1, HTTP/2, HTTP/3, WebSocket, etc.) in a high volume low
latency way that provides maximum performance while retaining the ease of use
and compatibility with years of Servlet development."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.