CVE-2022-2048
Published: 07 July 2022
Summary
CVE-2022-2048 is a high-severity Insufficient Resource Pool (CWE-410) vulnerability in Eclipse Jetty. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6436
Vulnerability details
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service…
more
scenario where there are no enough resources left to process good requests.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires a managed development lifecycle process with integrity controls on changes, improving control of resources throughout their lifetime.
Requires designing resource lifetime controls that anticipate, withstand, and recover from stresses or attacks, mitigating improper resource control.
Ensures a managed resource pool is maintained rather than allowing exhaustion by any single consumer.
Directly enforces limited resource lifetime by requiring initiation from a known state and explicit termination, shrinking the window any long-lived resource weakness can be exploited.