SCA: security update for org.eclipse.jetty.http2:http2-common, org.eclipse.jetty.http2:jetty-http2-common (GHSA-mmxm-8w33-wc4h)

high Tenable Self-Hosted Container Security Plugin ID 435024

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client
may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that
should not be sent in a particular stream state, therefore forcing the server to consume resources such as
CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window
size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-
window_update , the server should send a RST_STREAM frame. The client can now open another stream and send
another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this
case does not exceed the max number of concurrent streams, yet the client is able to create an enormous
amount of streams in a short period of time. The attack can be performed with other conditions (for
example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: *
https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h (CVE-2025-5115)

See Also

https://github.com/advisories/GHSA-mmxm-8w33-wc4h

Plugin Details

Severity: High

ID: 435024

Version: Revision 1.14

Type: Local

Family: SCA Checks

Published: 8/21/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.66

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-5115

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.7

Threat Score: 4.4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/20/2025

Vulnerability Publication Date: 8/20/2025

Reference Information

CVE: CVE-2025-5115