Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.eclipse.jetty.http2/http2-common@11.0.20
Typemaven
Namespaceorg.eclipse.jetty.http2
Namehttp2-common
Version11.0.20
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-5sz9-k4jb-97bv
vulnerability_id VCID-5sz9-k4jb-97bv
summary 
Connection leaking on idle timeout when TCP congested
If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written.
However it is not written because the connection is TCP congested.
When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection.

This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle.

An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients.

The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers.
references
0
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
url https://github.com/jetty/jetty.project
1
reference_url https://github.com/jetty/jetty.project/commit/0839a208cdc3fcfe25206a77af59ba9fda260188
reference_id
reference_type
scores
url https://github.com/jetty/jetty.project/commit/0839a208cdc3fcfe25206a77af59ba9fda260188
2
reference_url https://github.com/jetty/jetty.project/commit/b953871c9a5ff4fbca4a2499848f75182dbd9810
reference_id
reference_type
scores
url https://github.com/jetty/jetty.project/commit/b953871c9a5ff4fbca4a2499848f75182dbd9810
3
reference_url https://github.com/jetty/jetty.project/issues/11256
reference_id
reference_type
scores
url https://github.com/jetty/jetty.project/issues/11256
4
reference_url https://github.com/jetty/jetty.project/issues/11259
reference_id
reference_type
scores
url https://github.com/jetty/jetty.project/issues/11259
5
reference_url https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html
6
reference_url https://security.netapp.com/advisory/ntap-20240329-0001
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240329-0001
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-22201
reference_id CVE-2024-22201
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-22201
8
reference_url https://github.com/advisories/GHSA-rggv-cv7r-mw98
reference_id GHSA-rggv-cv7r-mw98
reference_type
scores
url https://github.com/advisories/GHSA-rggv-cv7r-mw98
9
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98
reference_id GHSA-rggv-cv7r-mw98
reference_type
scores
url https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98
fixed_packages
0
url pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.54
purl pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.54
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.http2/http2-common@9.4.54
1
url pkg:maven/org.eclipse.jetty.http2/http2-common@10.0.20
purl pkg:maven/org.eclipse.jetty.http2/http2-common@10.0.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.http2/http2-common@10.0.20
2
url pkg:maven/org.eclipse.jetty.http2/http2-common@11.0.20
purl pkg:maven/org.eclipse.jetty.http2/http2-common@11.0.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.http2/http2-common@11.0.20
aliases CVE-2024-22201, GHSA-rggv-cv7r-mw98
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5sz9-k4jb-97bv
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty.http2/http2-common@11.0.20