Search for vulnerabilities
Vulnerability details: VCID-mw7t-pbnp-1bax
Vulnerability ID VCID-mw7t-pbnp-1bax
Aliases CVE-2022-2191
GHSA-8mpp-f3f7-xc28
Summary Jetty SslConnection does not release pooled ByteBuffers in case of errors ### Impact `SslConnection` does not release `ByteBuffer`s in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the `ByteBuffer`s used to process the TLS handshake will be leaked. ### Workarounds Configure explicitly a `RetainableByteBufferPool` with `max[Heap|Direct]Memory` to limit the amount of memory that is leaked. Eventually the pool will be full of "active" entries (the leaked ones) and will provide `ByteBuffer`s that will be GCed normally. _With embedded-jetty_ ``` java int maxBucketSize = 1000; long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory); server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started server.start(); ``` _With jetty-home/jetty-base_ Create a `${jetty.base}/etc/retainable-byte-buffer-config.xml` ``` xml <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd"> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addBean"> <Arg> <New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool"> <Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg> </New> </Arg> </Call> </Configure> ``` And then reference it in `${jetty.base}/start.d/retainable-byte-buffer-config.ini` ``` etc/retainable-byte-buffer-config.xml ``` ### References https://github.com/eclipse/jetty.project/issues/8161 ### For more information * Email us at [security@webtide.com](mailto:security@webtide.com)
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-404 Improper Resource Shutdown or Release
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2191.json
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
epss 0.00468 https://api.first.org/data/v1/epss?cve=CVE-2022-2191
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8mpp-f3f7-xc28
cvssv3.1 7.5 https://github.com/eclipse/jetty.project
generic_textual HIGH https://github.com/eclipse/jetty.project
cvssv3.1 7.5 https://github.com/eclipse/jetty.project/issues/8161
generic_textual HIGH https://github.com/eclipse/jetty.project/issues/8161
cvssv3.1 7.5 https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
cvssv3.1_qr HIGH https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
generic_textual HIGH https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2022-2191
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-2191
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-2191
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20220909-0003
generic_textual HIGH https://security.netapp.com/advisory/ntap-20220909-0003
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2191.json
https://api.first.org/data/v1/epss?cve=CVE-2022-2191
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/eclipse/jetty.project
https://github.com/eclipse/jetty.project/issues/8161
https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
https://nvd.nist.gov/vuln/detail/CVE-2022-2191
https://security.netapp.com/advisory/ntap-20220909-0003
https://security.netapp.com/advisory/ntap-20220909-0003/
2116953 https://bugzilla.redhat.com/show_bug.cgi?id=2116953
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
GHSA-8mpp-f3f7-xc28 https://github.com/advisories/GHSA-8mpp-f3f7-xc28
RHSA-2023:0189 https://access.redhat.com/errata/RHSA-2023:0189
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2191.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/eclipse/jetty.project
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/eclipse/jetty.project/issues/8161
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2191
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2191
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20220909-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.63471
EPSS Score 0.00468
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:25:25.143808+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json 36.1.3