CVE-2022-2191 is a vulnerability in Eclipse Jetty
Published on July 7, 2022
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
Vulnerability Analysis
CVE-2022-2191 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Improper Control of a Resource Through its Lifetime
The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Products Associated with CVE-2022-2191
Want to know whenever a new CVE is published for Eclipse Jetty? stack.watch will email you.
Affected Versions
The Eclipse Foundation Eclipse Jetty:- Version 10.0.0 and below unspecified is affected.
- Version unspecified, <= 10.0.9 is affected.
- Version 11.0.0 and below unspecified is affected.
- Version unspecified, <= 11.0.9 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.