CVE-2022-2048
Description
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse Jetty HTTP/2 server fails to clean up connections on invalid requests, leading to resource exhaustion and denial of service.
Root
Cause
CVE-2022-2048 is a vulnerability in the Eclipse Jetty HTTP/2 server implementation. When the server encounters an invalid HTTP/2 request, the error handling routine does not properly release active connections and associated resources, leading to a resource leak [1][4].
Exploitation
An unauthenticated attacker can exploit this by sending specially crafted invalid HTTP/2 requests. The server attempts to write a blocking error response directly from the selector thread. If the attacker manages to exhaust the HTTP/2 flow control window or cause TCP congestion, the selector thread becomes blocked. Repeated exploitation can exhaust all selector threads, rendering the server unresponsive [4].
Impact
Successful exploitation results in a denial of service (DoS) condition, where the server cannot process legitimate requests due to insufficient resources [1][4].
Mitigation
The issue is fixed in Jetty versions 9.4.47, 10.0.10, and 11.0.10 [4]. Users of Jenkins, which bundles Winstone-Jetty, are also affected and should update to Jenkins 2.263 or Jenkins LTS 2.361.1 [2]. No workaround is available within Jetty itself, but filtering invalid requests upstream (e.g., via a proxy) can provide temporary relief [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty.http2:http2-serverMaven | < 9.4.47 | 9.4.47 |
org.eclipse.jetty.http2:http2-serverMaven | >= 10.0.0, < 10.0.10 | 10.0.10 |
org.eclipse.jetty.http2:http2-serverMaven | >= 11.0.0, < 11.0.10 | 11.0.10 |
Affected products
4- osv-coords2 versions
< 2.361.1+ 1 more
- (no CPE)range: < 2.361.1
- (no CPE)range: < 9.4.47
- Range: 9.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-wgmr-mf83-7x4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2048ghsaADVISORY
- www.debian.org/security/2022/dsa-5198ghsavendor-advisoryx_refsource_DEBIANWEB
- www.openwall.com/lists/oss-security/2022/09/09/2ghsamailing-listx_refsource_MLISTWEB
- github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4jghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2022/08/msg00011.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20220901-0006ghsaWEB
- security.netapp.com/advisory/ntap-20220901-0006/mitrex_refsource_CONFIRM
News mentions
1- Jenkins Security Advisory 2022-09-09Jenkins Security Advisories · Sep 9, 2022