In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame. The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16460 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to MadeYouReset     DoS attack through HTTP/2 control frames (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16461 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is     vulnerable to MadeYouReset DoS attack through HTTP/2 control frames (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16459 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to MadeYouReset     DoS attack through HTTP/2 control frames (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16462 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is     vulnerable to MadeYouReset DoS attack through HTTP/2 control frames (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16455 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is     vulnerable to MadeYouReset DoS attack through HTTP/2 control frames     (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16454 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to MadeYouReset     DoS attack through HTTP/2 control frames (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16457 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to MadeYouReset     DoS attack through HTTP/2 control frames (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16456 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins: HTTP/2 (including DNS over HTTPS) contains a design flaw and is     vulnerable to MadeYouReset DoS attack through HTTP/2 control frames     (CVE-2025-5115)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6006 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6006-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     September 19, 2025                    https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : jetty12     CVE ID         : CVE-2025-5115

    This update for Jetty, a Java servlet engine and web server, addresses     a protocol-level vulnerability in HTTP/2 support also referred to as     MadeYouReset.

    For the stable distribution (trixie), this problem has been fixed in     version 12.0.17-3.1~deb13u1.

    We recommend that you upgrade your jetty12 packages.

    For the detailed security status of jetty12 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/jetty12

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6005 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6005-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     September 19, 2025                    https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : jetty9     CVE ID         : CVE-2025-5115

    This update for Jetty, a Java servlet engine and web server, addresses a     protocol-level vulnerability in HTTP/2 support also referred to as     MadeYouReset.

    For the oldstable distribution (bookworm), this problem has been fixed     in version 9.4.57-1.1~deb12u1.

    For the stable distribution (trixie), this problem has been fixed in     version 9.4.57-1.1~deb13u1.

    We recommend that you upgrade your jetty9 packages.

    For the detailed security status of jetty9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/jetty9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b9b668f0-96ec-4568-b618-2edea45d6933 advisory.

    Jenkins Security Advisory:
    HTTP/2 denial of service vulnerability in bundled Jetty     Missing permission check allows obtaining agent names      Missing permission check in authenticated users' profile menu     Log message injection vulnerability

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.516.3 or Jenkins weekly prior to 2.528. It is, therefore, affected by multiple vulnerabilities:

  - In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client     may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that     should not be sent in a particular stream state, therefore forcing the server to consume resources such as     CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window     size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-     window_update , the server should send a RST_STREAM frame. The client can now open another stream and send     another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this     case does not exceed the max number of concurrent streams, yet the client is able to create an enormous     amount of streams in a short period of time. The attack can be performed with other conditions (for     example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: *     https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h (CVE-2025-5115)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4299 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4299-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     September 14, 2025                            https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : jetty9     Version        : 9.4.57-0+deb11u3     CVE ID         : CVE-2025-5115     Debian Bug     : 1111766

    The MadeYouReset HTTP/2 vulnerability has been fixet in the Jetty     web server and servlet container.

    For Debian 11 bullseye, this problem has been fixed in version     9.4.57-0+deb11u3.

    We recommend that you upgrade your jetty9 packages.

    For the detailed security status of jetty9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/jetty9

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:02993-2 advisory.

    Upgraded to version 9.4.58.v20250814:
    - CVE-2025-5115: Fixed MadeYouReset DoS attack via HTTP/2 protocol (including DNS over HTTPS)     (bsc#1244252)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client     may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that     should not be sent in a particular stream state, therefore forcing the server to consume resources such as     CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window     size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-     window_update , the server should send a RST_STREAM frame. The client can now open another stream and send     another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this     case does not exceed the max number of concurrent streams, yet the client is able to create an enormous     amount of streams in a short period of time. The attack can be performed with other conditions (for     example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: *     https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h (CVE-2025-5115)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:02993-1 advisory.

    Upgraded to version 9.4.58.v20250814:
    - CVE-2025-5115: Fixed MadeYouReset DoS attack via HTTP/2 protocol (including DNS over HTTPS)     (bsc#1244252)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
265803	RHEL 8 : Red Hat Product OCP Tools 4.13 OpenShift Jenkins (RHSA-2025:16460)	Nessus	Red Hat Local Security Checks	high
265784	RHEL 8 : Red Hat Product OCP Tools 4.14 OpenShift Jenkins (RHSA-2025:16461)	Nessus	Red Hat Local Security Checks	high
265743	RHEL 8 : Red Hat Product OCP Tools 4.12 OpenShift Jenkins (RHSA-2025:16459)	Nessus	Red Hat Local Security Checks	high
265742	RHEL 8 : Red Hat Product OCP Tools 4.15 OpenShift Jenkins (RHSA-2025:16462)	Nessus	Red Hat Local Security Checks	high
265740	RHEL 9 : Red Hat Product OCP Tools 4.18 Openshift Jenkins (RHSA-2025:16455)	Nessus	Red Hat Local Security Checks	high
265739	RHEL 9 : Red Hat Product OCP Tools 4.19 OpenShift Jenkins (RHSA-2025:16454)	Nessus	Red Hat Local Security Checks	high
265738	RHEL 9 : Red Hat Product OCP Tools 4.16 OpenShift Jenkins (RHSA-2025:16457)	Nessus	Red Hat Local Security Checks	high
265737	RHEL 9 : Red Hat Product OCP Tools 4.17 OpenShift Jenkins (RHSA-2025:16456)	Nessus	Red Hat Local Security Checks	high
265454	Debian dsa-6006 : jetty12 - security update	Nessus	Debian Local Security Checks	high
265453	Debian dsa-6005 : jetty9 - security update	Nessus	Debian Local Security Checks	high
265360	FreeBSD : jenkins -- multiple vulnerabilities (b9b668f0-96ec-4568-b618-2edea45d6933)	Nessus	FreeBSD Local Security Checks	high
265325	Jenkins LTS < 2.516.3 / Jenkins weekly < 2.528 Multiple Vulnerabilities	Nessus	CGI abuses	high
264780	Debian dla-4299 : jetty9 - security update	Nessus	Debian Local Security Checks	high
260434	openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2025:02993-2)	Nessus	SuSE Local Security Checks	high
260193	Linux Distros Unpatched Vulnerability : CVE-2025-5115	Nessus	Misc.	high
258063	SUSE SLED15 / SLES15 Security Update : jetty-minimal (SUSE-SU-2025:02993-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2025-5115

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high