eclipse jetty CVE-2021-28165 vulnerability in Eclipse and Other Products
Published on April 1, 2021

product logo product logo product logo product logo
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Github Repository Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-28165 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Types

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2021-28165 has been classified to as a Resource Exhaustion vulnerability or weakness.

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

Improper Handling of Exceptional Conditions

The software does not handle or incorrectly handles an exceptional condition.


Products Associated with CVE-2021-28165

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-28165 are published in these products:

Eclipse Jetty
 
Oracle Autovue Agile Product Lifecycle Management
 
Oracle Communications Cloud Native Core Policy
 
Oracle Communications Element Manager
 
Oracle Communications Services Gatekeeper
 
Oracle Communications Session Report Manager
 
Oracle Communications Session Route Manager
 
Oracle Rest Data Services
 
Oracle Siebel Core Automation
 
Jenkins
 
NetApp Cloud Manager
 
NetApp E Series Performance Analyzer
 
NetApp E Series Santricity Os Controller
 
NetApp E Series Santricity Storage
 
NetApp E Series Santricity Web Services
 
NetApp Ontap Tools
 
NetApp Santricity Cloud Connector
 
NetApp Santricity Web Services Proxy
 
NetApp Snapcenter
 
NetApp Storage Replication Adapter Clustered Data Ontap
 
NetApp Vasa Provider Clustered Data Ontap
 
Oracle
 

Affected Versions

The Eclipse Foundation Eclipse Jetty:

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-28165

Package Manager Vulnerable Package Versions Fixed In
maven org.eclipse.jetty:jetty-io >= 11.0.0, < 11.0.2 11.0.2

Exploit Probability

EPSS
11.83%
Percentile
93.57%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.