CVE-2018-12545
Description
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse Jetty 9.3.x and 9.4.x vulnerable to DoS via CPU/memory exhaustion from crafted HTTP/2 SETTINGS frames.
Vulnerability
In Eclipse Jetty versions 9.3.x (up to 9.3.24.v20180605) and 9.4.x (up to 9.4.12.RC2), the HTTP/2 implementation fails to properly limit resource consumption when processing SETTINGS frames. A remote client can cause excessive CPU and memory allocation by sending either a large SETTINGS frame containing many settings or many small SETTINGS frames [1][3]. The issue is due to the additional processing required for each changed setting [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by establishing an HTTP/2 connection and sending a crafted sequence of SETTINGS frames. No special network position or user interaction is required; the attacker only needs to be able to send network traffic to the Jetty server [1]. The attack can be performed with either a single large SETTINGS frame containing many settings or a rapid succession of small SETTINGS frames [1].
Impact
Successful exploitation leads to a Denial of Service (DoS) condition. The server becomes unresponsive or crashes due to exhaustion of CPU time and memory, preventing legitimate users from accessing services [1]. The vulnerability does not allow for arbitrary code execution or data disclosure; its sole impact is on availability.
Mitigation
The vulnerability is fixed in Jetty versions 9.3.25.v20180904 and 9.4.12.v20180830 [3]. Users should upgrade to these or later versions. If immediate upgrade is not possible, network-level filters or rate-limiting of HTTP/2 connections may reduce exposure, but no official workaround is provided by the vendor.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | >= 9.4.0, < 9.4.12.v20180830 | 9.4.12.v20180830 |
org.eclipse.jetty:jetty-serverMaven | >= 9.3.0, < 9.3.25.v20180904 | 9.3.25.v20180904 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: 9.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- github.com/advisories/GHSA-h2f4-v4c4-6wx4ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-12545ghsaADVISORY
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2%40%3Ccommits.accumulo.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3EghsaWEB
- lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606%40%3Cdevnull.infra.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606@%3Cdevnull.infra.apache.org%3EghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79%40%3Cnotifications.accumulo.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79@%3Cnotifications.accumulo.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6ghsaWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.