Cyber Resilience

CVE-2022-2048

High

Published: 07 July 2022

Published
07 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0105 77.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2048 is a high-severity Insufficient Resource Pool (CWE-410) vulnerability in Eclipse Jetty. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service…

more

scenario where there are no enough resources left to process good requests.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

eclipse
jetty
≤ 9.4.47 · 10.0.0 — 10.0.9 · 11.0.0 — 11.0.9
debian
debian linux
10.0, 11.0
netapp
element plug-in for vcenter server
all versions
netapp
management services for element software and netapp hci
all versions
netapp
snapcenter
all versions
netapp
solidfire \& hci storage node
all versions
netapp
hci compute node
all versions
jenkins
jenkins
≤ 2.263 · ≤ 2.361.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-664

Requires a managed development lifecycle process with integrity controls on changes, improving control of resources throughout their lifetime.

addresses: CWE-664

Requires designing resource lifetime controls that anticipate, withstand, and recover from stresses or attacks, mitigating improper resource control.

addresses: CWE-410

Ensures a managed resource pool is maintained rather than allowing exhaustion by any single consumer.

addresses: CWE-664

Directly enforces limited resource lifetime by requiring initiation from a known state and explicit termination, shrinking the window any long-lived resource weakness can be exploited.

References