csaf_certbund - wid-sec-w-2025-1830

wid-sec-w-2025-1830

Vulnerability from csaf_certbund

Published

2025-08-13 22:00

Modified

2025-08-31 22:00

Summary

http/2 Implementierungen: Schwachstelle ermöglicht Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

http/2 ist das HyperText Transfer Protocol in Version 2.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiednen http/2 Implementierungen ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "http/2 ist das HyperText Transfer Protocol in Version 2.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiednen http/2 Implementierungen ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1830 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1830.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1830 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1830"
      },
      {
        "category": "external",
        "summary": "Gal Bar Nahum\u0027s Blog - MadeYouReset Series vom 2025-08-13",
        "url": "https://galbarnahum.com/made-you-reset"
      },
      {
        "category": "external",
        "summary": "CERT/CC VU#767506 vom 2025-08-13",
        "url": "https://kb.cert.org/vuls/id/767506"
      },
      {
        "category": "external",
        "summary": "Varnish Security Advisory VSV00017 vom 2025-08-13",
        "url": "https://varnish-cache.org/security/VSV00017.html"
      },
      {
        "category": "external",
        "summary": "Mailing List OSS Security vom 2025-08-13",
        "url": "https://seclists.org/oss-sec/2025/q3/95"
      },
      {
        "category": "external",
        "summary": "Tomcat 9 Security vom 2025-08-13",
        "url": "https://tomcat.apache.org/security-9.html"
      },
      {
        "category": "external",
        "summary": "Tomcat 10 Security vom 2025-08-13",
        "url": "https://tomcat.apache.org/security-10.html"
      },
      {
        "category": "external",
        "summary": "Tomcat 11 Security vom 2025-08-13",
        "url": "https://tomcat.apache.org/security-11.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:13686 vom 2025-08-13",
        "url": "https://access.redhat.com/errata/RHSA-2025:13686"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:13685 vom 2025-08-14",
        "url": "https://access.redhat.com/errata/RHSA-2025:13685"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15449-1 vom 2025-08-16",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LD37QPQBLKIFMKWJXACHGPA7WALFCOM7/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14004 vom 2025-08-19",
        "url": "https://access.redhat.com/errata/RHSA-2025:14004"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14008 vom 2025-08-19",
        "url": "https://access.redhat.com/errata/RHSA-2025:14008"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14182 vom 2025-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:14182"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14177 vom 2025-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:14177"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14180 vom 2025-08-21",
        "url": "https://access.redhat.com/errata/RHSA-2025:14180"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-MMXM-8W33-WC4H vom 2025-08-20",
        "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14179 vom 2025-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:14179"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14178 vom 2025-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:14178"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14183 vom 2025-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:14183"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-14177 vom 2025-08-21",
        "url": "https://linux.oracle.com/errata/ELSA-2025-14177.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14197 vom 2025-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:14197"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14181 vom 2025-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:14181"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-14181 vom 2025-08-21",
        "url": "https://linux.oracle.com/errata/ELSA-2025-14181.html"
      },
      {
        "category": "external",
        "summary": "New Varnish Cache releases (7.7.3, 7.6.5 and 6.0.16) vom 2025-08-20",
        "url": "https://varnish-cache.org/lists/pipermail/varnish-announce/2025-August/000771.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-14178 vom 2025-08-21",
        "url": "https://linux.oracle.com/errata/ELSA-2025-14178.html"
      },
      {
        "category": "external",
        "summary": "PoC CVE-2025-8671 vom 2025-08-24",
        "url": "https://github.com/abiyeenzo/CVE-2025-8671"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15483-1 vom 2025-08-23",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EXDF5TMMN4LHEDWLII7MMDPWQR5D6UWU/"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-14179 vom 2025-08-22",
        "url": "https://linux.oracle.com/errata/ELSA-2025-14179.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15490-1 vom 2025-08-26",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HVS2SK75HFDIVZCEQSOAOL6TTJCJFJZK/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15491-1 vom 2025-08-26",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PFPY4ZCVL2NZMRDOWWAY4ZBXIIA663BF/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15489-1 vom 2025-08-26",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UBHMT4B4D7HRMDPQJYDEV5UUSG7LVAHI/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02992-1 vom 2025-08-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022280.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02993-1 vom 2025-08-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022294.html"
      },
      {
        "category": "external",
        "summary": "Camunda Security Notice 144 vom 2025-08-28",
        "url": "https://docs.camunda.org/security/notices/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:03006-1 vom 2025-08-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022326.html"
      },
      {
        "category": "external",
        "summary": "ATOSS Sicherheitsmitteilung: Apache Tomcat-Sicherheitsl\u00fccken vom 2025-08-28",
        "url": "https://www.atoss.ch/de-ch/sicherheit/security-news"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:14911 vom 2025-08-28",
        "url": "https://access.redhat.com/errata/RHSA-2025:14911"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:03024-1 vom 2025-08-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022345.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:03021-1 vom 2025-08-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022331.html"
      }
    ],
    "source_lang": "en-US",
    "title": "http/2 Implementierungen: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2025-08-31T22:00:00.000+00:00",
      "generator": {
        "date": "2025-09-01T07:11:10.146+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1830",
      "initial_release_date": "2025-08-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-08-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-08-17T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-08-19T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-08-20T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat, Open Source, Oracle Linux und European Union Vulnerability Database aufgenommen"
        },
        {
          "date": "2025-08-21T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2025-08-24T22:00:00.000+00:00",
          "number": "6",
          "summary": "PoC aufgenommen"
        },
        {
          "date": "2025-08-26T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-08-27T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-08-28T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE und Red Hat aufgenommen"
        },
        {
          "date": "2025-08-31T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "10"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "ATOSS Staff Efficiency Suite",
            "product": {
              "name": "ATOSS Staff Efficiency Suite",
              "product_id": "T041371",
              "product_identification_helper": {
                "cpe": "cpe:/a:atoss:staff_efficiency_suite:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "ATOSS"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c11.0.10",
                "product": {
                  "name": "Apache Tomcat \u003c11.0.10",
                  "product_id": "1821869"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.10",
                "product": {
                  "name": "Apache Tomcat 11.0.10",
                  "product_id": "1821869-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:11.0.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.0.108",
                "product": {
                  "name": "Apache Tomcat \u003c9.0.108",
                  "product_id": "1821870"
                }
              },
              {
                "category": "product_version",
                "name": "9.0.108",
                "product": {
                  "name": "Apache Tomcat 9.0.108",
                  "product_id": "1821870-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:9.0.108"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.1.44",
                "product": {
                  "name": "Apache Tomcat \u003c10.1.44",
                  "product_id": "T046241"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.44",
                "product": {
                  "name": "Apache Tomcat 10.1.44",
                  "product_id": "T046241-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:10.1.44"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tomcat"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.4.58",
                "product": {
                  "name": "Eclipse Jetty \u003c9.4.58",
                  "product_id": "T046367"
                }
              },
              {
                "category": "product_version",
                "name": "9.4.58",
                "product": {
                  "name": "Eclipse Jetty 9.4.58",
                  "product_id": "T046367-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:9.4.58"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.0.26",
                "product": {
                  "name": "Eclipse Jetty \u003c10.0.26",
                  "product_id": "T046368"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.26",
                "product": {
                  "name": "Eclipse Jetty 10.0.26",
                  "product_id": "T046368-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:10.0.26"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.26",
                "product": {
                  "name": "Eclipse Jetty \u003c11.0.26",
                  "product_id": "T046369"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.26",
                "product": {
                  "name": "Eclipse Jetty 11.0.26",
                  "product_id": "T046369-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:11.0.26"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c12.0.25",
                "product": {
                  "name": "Eclipse Jetty \u003c12.0.25",
                  "product_id": "T046370"
                }
              },
              {
                "category": "product_version",
                "name": "12.0.25",
                "product": {
                  "name": "Eclipse Jetty 12.0.25",
                  "product_id": "T046370-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:12.0.25"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c12.1.0.beta3",
                "product": {
                  "name": "Eclipse Jetty \u003c12.1.0.beta3",
                  "product_id": "T046371"
                }
              },
              {
                "category": "product_version",
                "name": "12.1.0.beta3",
                "product": {
                  "name": "Eclipse Jetty 12.1.0.beta3",
                  "product_id": "T046371-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:12.1.0.beta3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Jetty"
          }
        ],
        "category": "vendor",
        "name": "Eclipse"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Optimize \u003c3.15.7",
                "product": {
                  "name": "Open Source Camunda Optimize \u003c3.15.7",
                  "product_id": "T046585"
                }
              },
              {
                "category": "product_version",
                "name": "Optimize 3.15.7",
                "product": {
                  "name": "Open Source Camunda Optimize 3.15.7",
                  "product_id": "T046585-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:camunda:camunda:optimize_3.15.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Optimize \u003c3.14.8",
                "product": {
                  "name": "Open Source Camunda Optimize \u003c3.14.8",
                  "product_id": "T046586"
                }
              },
              {
                "category": "product_version",
                "name": "Optimize 3.14.8",
                "product": {
                  "name": "Open Source Camunda Optimize 3.14.8",
                  "product_id": "T046586-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:camunda:camunda:optimize_3.14.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Optimize \u003c3.13.19",
                "product": {
                  "name": "Open Source Camunda Optimize \u003c3.13.19",
                  "product_id": "T046587"
                }
              },
              {
                "category": "product_version",
                "name": "Optimize 3.13.19",
                "product": {
                  "name": "Open Source Camunda Optimize 3.13.19",
                  "product_id": "T046587-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:camunda:camunda:optimize_3.13.19"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Camunda"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.6.4",
                "product": {
                  "name": "Open Source Varnish HTTP Cache \u003c7.6.4",
                  "product_id": "T046242"
                }
              },
              {
                "category": "product_version",
                "name": "7.6.4",
                "product": {
                  "name": "Open Source Varnish HTTP Cache 7.6.4",
                  "product_id": "T046242-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:varnish_http_accelerator_integration_project:varnish:7.6.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.7.2",
                "product": {
                  "name": "Open Source Varnish HTTP Cache \u003c7.7.2",
                  "product_id": "T046243"
                }
              },
              {
                "category": "product_version",
                "name": "7.7.2",
                "product": {
                  "name": "Open Source Varnish HTTP Cache 7.7.2",
                  "product_id": "T046243-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:varnish_http_accelerator_integration_project:varnish:7.7.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.0.15",
                "product": {
                  "name": "Open Source Varnish HTTP Cache \u003c6.0.15",
                  "product_id": "T046244"
                }
              },
              {
                "category": "product_version",
                "name": "6.0.15",
                "product": {
                  "name": "Open Source Varnish HTTP Cache 6.0.15",
                  "product_id": "T046244-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:varnish_http_accelerator_integration_project:varnish:6.0.15"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Varnish HTTP Cache"
          },
          {
            "category": "product_name",
            "name": "Open Source lighttpd",
            "product": {
              "name": "Open Source lighttpd",
              "product_id": "T000812",
              "product_identification_helper": {
                "cpe": "cpe:/a:lighttpd:lighttpd:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Apache Camel 1",
                "product": {
                  "name": "Red Hat Enterprise Linux Apache Camel 1",
                  "product_id": "T044468",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:apache_camel_1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Quarkus 3.15.6.SP1",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus 3.15.6.SP1",
                  "product_id": "T046330",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quarkus_3.15.6.sp1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Quarkus 3.20.2.SP1",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus 3.20.2.SP1",
                  "product_id": "T046331",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quarkus_3.20.2.sp1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Camel for Spring Boot 1",
                "product": {
                  "name": "Red Hat Integration Camel for Spring Boot 1",
                  "product_id": "T035240",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:integration:camel_for_spring_boot_1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Integration"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.1.2",
                "product": {
                  "name": "Red Hat JBoss Web Server \u003c6.1.2",
                  "product_id": "T046251"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.2",
                "product": {
                  "name": "Red Hat JBoss Web Server 6.1.2",
                  "product_id": "T046251-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss Web Server"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Specification http/2",
            "product": {
              "name": "Specification http/2",
              "product_id": "T030386",
              "product_identification_helper": {
                "cpe": "cpe:/a:ietf:http2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Specification"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-48989",
      "product_status": {
        "known_affected": [
          "T030386",
          "T046370",
          "67646",
          "T046371",
          "T004914",
          "T000812",
          "1821870",
          "T046330",
          "T046331",
          "T046251",
          "T035240",
          "1821869",
          "T046369",
          "T041371",
          "T044468",
          "T002207",
          "T027843",
          "T046242",
          "T046243",
          "T046241",
          "T046367",
          "T046587",
          "T046368",
          "T046244",
          "T046585",
          "T046586"
        ]
      },
      "release_date": "2025-08-13T22:00:00.000+00:00",
      "title": "CVE-2025-48989"
    },
    {
      "cve": "CVE-2025-5115",
      "product_status": {
        "known_affected": [
          "T030386",
          "T046370",
          "67646",
          "T046371",
          "T004914",
          "T000812",
          "1821870",
          "T046330",
          "T046331",
          "T046251",
          "T035240",
          "1821869",
          "T046369",
          "T041371",
          "T044468",
          "T002207",
          "T027843",
          "T046242",
          "T046243",
          "T046241",
          "T046367",
          "T046587",
          "T046368",
          "T046244",
          "T046585",
          "T046586"
        ]
      },
      "release_date": "2025-08-13T22:00:00.000+00:00",
      "title": "CVE-2025-5115"
    },
    {
      "cve": "CVE-2025-55163",
      "product_status": {
        "known_affected": [
          "T030386",
          "T046370",
          "67646",
          "T046371",
          "T004914",
          "T000812",
          "1821870",
          "T046330",
          "T046331",
          "T046251",
          "T035240",
          "1821869",
          "T046369",
          "T041371",
          "T044468",
          "T002207",
          "T027843",
          "T046242",
          "T046243",
          "T046241",
          "T046367",
          "T046587",
          "T046368",
          "T046244",
          "T046585",
          "T046586"
        ]
      },
      "release_date": "2025-08-13T22:00:00.000+00:00",
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-8671",
      "product_status": {
        "known_affected": [
          "T030386",
          "T046370",
          "67646",
          "T046371",
          "T004914",
          "T000812",
          "1821870",
          "T046330",
          "T046331",
          "T046251",
          "T035240",
          "1821869",
          "T046369",
          "T041371",
          "T044468",
          "T002207",
          "T027843",
          "T046242",
          "T046243",
          "T046241",
          "T046367",
          "T046587",
          "T046368",
          "T046244",
          "T046585",
          "T046586"
        ]
      },
      "release_date": "2025-08-13T22:00:00.000+00:00",
      "title": "CVE-2025-8671"
    }
  ]
}

CVE-2025-5115 (GCVE-0-2025-5115)

Vulnerability from cvelistv5

Published

2025-08-20 19:07

Modified

2025-08-21 10:36

Severity ?

7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Summary

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame. The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

References

▼	URL	Tags
	https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h	issue-tracking
	https://github.com/jetty/jetty.project/pull/13449	patch
	https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0	release-notes
	https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25	release-notes
	https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26	release-notes
	https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26	release-notes
	https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814	release-notes

Impacted products

	Vendor	Product	Version
	Eclipse Jetty	Eclipse Jetty	Version: >=9.3.0 ≤ <=9.4.57 Version: >=10.0.0 ≤ <=10.0.25 Version: >=11.0.0 ≤ <=11.0.25 Version: >=12.0.0 ≤ <=12.0.21 Version: >=12.1.0.alpha0 ≤ <=12.1.0.alpha2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-20T19:28:04.700843Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-20T19:28:12.942Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "pkg:maven/org.eclipse.jetty.http2/http2-common",
          "product": "Eclipse Jetty",
          "repo": "https://github.com/jetty/jetty.project",
          "vendor": "Eclipse Jetty",
          "versions": [
            {
              "lessThanOrEqual": "\u003c=9.4.57",
              "status": "affected",
              "version": "\u003e=9.3.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "\u003c=10.0.25",
              "status": "affected",
              "version": "\u003e=10.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "\u003c=11.0.25",
              "status": "affected",
              "version": "\u003e=11.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "\u003c=12.0.21",
              "status": "affected",
              "version": "\u003e=12.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "\u003c=12.1.0.alpha2",
              "status": "affected",
              "version": "\u003e=12.1.0.alpha0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eIn Eclipse Jetty, versions \u0026lt;=9.4.57, \u0026lt;=10.0.25, \u0026lt;=11.0.25, \u0026lt;=12.0.21, \u0026lt;=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\u003c/p\u003e\n\u003cp\u003eFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update\"\u003e\u003c/a\u003e, the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\u003c/p\u003e\n\u003cp\u003eThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eLinks:\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\"\u003ehttps://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "In Eclipse Jetty, versions \u003c=9.4.57, \u003c=10.0.25, \u003c=11.0.25, \u003c=12.0.21, \u003c=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\n\n\nFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification  https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\n\n\nThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\n\n\n\nLinks:\n\n\n\n  *   https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-21T10:36:49.477Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/jetty/jetty.project/pull/13449"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "MadeYouReset HTTP/2 vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2025-5115",
    "datePublished": "2025-08-20T19:07:11.546Z",
    "dateReserved": "2025-05-23T08:55:59.861Z",
    "dateUpdated": "2025-08-21T10:36:49.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-8671 (GCVE-0-2025-8671)

Vulnerability from cvelistv5

Published

2025-08-13 12:03

Modified

2025-08-17 14:26

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-404 Improper Resource Shutdown or Release

Summary

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.

References

▼	URL	Tags
	https://galbarnahum.com/made-you-reset
	https://kb.cert.org/vuls/id/767506
	https://varnish-cache.org/security/VSV00017.html
	https://www.fastlystatus.com/incident/377810
	https://github.com/h2o/h2o/commit/4729b661e3c6654198d2cc62997e1af58bef4b80
	https://support2.windriver.com/index.php?page=security-notices
	https://www.suse.com/support/kb/doc/?id=000021980
	https://gitlab.isc.org/isc-projects/bind9/-/issues/5325
	https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq

Impacted products

Vendor

Product

Version

▼

SUSE Linux

Enterprise Module for Development Tools

Version: 15 SP2 < 15-SP5

SUSE Linux	Enterprise High Performance Computing (HPC)	Version: 15 < 15 SP5
Varnish Software	Varnish Enterprise	Version: 6.0.x <
Varnish Software	Varnish Cache	Version: 6.0LTS <
Varnish Software	Varnish Cache	Version: 5.x <
Fastly	H20	Version: 579ecfa
Wind River	Linux	Version: LTS22 <
SUSE Linux	Enterprise Desktop	Version: 15 SP6 < 15 SP7
SUSE Linux	Enterprise High Performance Computing	Version: 15 SP3 < 15 SP7
SUSE Linux	Enterprise Module for Dev Tools	Version: 15 SP3 < 15 SP7
SUSE Linux	Enterprise Module for Package Hub	Version: 15 SP5 < 15 SP7
SUSE Linux	Enterprise Server	Version: 12 SP5 < 15 SP7
SUSE Linux	Enterprise Server for SAP Applications	Version: 15 SP6 < 15 SP7
SUSE Linux	SUSE Manager Server	Version: 4.3
SUSE Linux	SUSE Manager Server LTS	Version: 4.3
SUSE Linux	SUSE Manager Proxy	Version: 4.3
SUSE Linux	SUSE Manager Retail Branch Server	Version: 4.3
SUSE Linux	openSUSE Leap	Version: 15.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-8671",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T18:34:19.913332Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-404",
                "description": "CWE-404 Improper Resource Shutdown or Release",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T19:57:17.805Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gitlab.isc.org/isc-projects/bind9/-/issues/5325"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-08-17T14:26:49.121Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://github.com/envoyproxy/envoy/issues/40739"
          },
          {
            "url": "https://github.com/varnish/hitch/issues/397"
          },
          {
            "url": "https://github.com/Kong/kong/discussions/14731"
          },
          {
            "url": "https://deepness-lab.org/publications/madeyoureset/"
          },
          {
            "url": "https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Enterprise Module for Development Tools",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15-SP5",
              "status": "affected",
              "version": "15 SP2",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Enterprise High Performance Computing (HPC)",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15 SP5",
              "status": "affected",
              "version": "15",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Varnish Enterprise",
          "vendor": "Varnish Software",
          "versions": [
            {
              "lessThanOrEqual": "6.0.14r4",
              "status": "affected",
              "version": "6.0.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Varnish Cache",
          "vendor": "Varnish Software",
          "versions": [
            {
              "lessThanOrEqual": "6.014",
              "status": "affected",
              "version": "6.0LTS",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Varnish Cache",
          "vendor": "Varnish Software",
          "versions": [
            {
              "lessThanOrEqual": "7.71",
              "status": "affected",
              "version": "5.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "H20",
          "vendor": "Fastly",
          "versions": [
            {
              "status": "affected",
              "version": "579ecfa"
            }
          ]
        },
        {
          "product": "Linux",
          "vendor": "Wind River",
          "versions": [
            {
              "lessThanOrEqual": "TLS25",
              "status": "affected",
              "version": "LTS22",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Enterprise Desktop",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15 SP7",
              "status": "affected",
              "version": "15 SP6",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Enterprise High Performance Computing",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15 SP7",
              "status": "affected",
              "version": "15 SP3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Enterprise Module for Dev Tools",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15 SP7",
              "status": "affected",
              "version": "15 SP3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Enterprise Module for Package Hub",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15 SP7",
              "status": "affected",
              "version": "15 SP5",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Enterprise Server",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15 SP7",
              "status": "affected",
              "version": "12 SP5",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Enterprise Server for SAP Applications",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "lessThan": "15 SP7",
              "status": "affected",
              "version": "15 SP6",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "SUSE Manager Server",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            }
          ]
        },
        {
          "product": "SUSE Manager Server LTS",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            }
          ]
        },
        {
          "product": "SUSE Manager Proxy",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            }
          ]
        },
        {
          "product": "SUSE Manager Retail Branch Server",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            }
          ]
        },
        {
          "product": "openSUSE Leap",
          "vendor": "SUSE Linux",
          "versions": [
            {
              "status": "affected",
              "version": "15.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS).  By opening streams and then rapidly triggering the server to reset them\u2014using malformed frames or flow control errors\u2014an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-404 Improper Resource Shutdown or Release",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-13T18:19:45.844Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "url": "https://galbarnahum.com/made-you-reset"
        },
        {
          "url": "https://kb.cert.org/vuls/id/767506"
        },
        {
          "url": "https://varnish-cache.org/security/VSV00017.html"
        },
        {
          "url": "https://www.fastlystatus.com/incident/377810"
        },
        {
          "url": "https://github.com/h2o/h2o/commit/4729b661e3c6654198d2cc62997e1af58bef4b80"
        },
        {
          "url": "https://support2.windriver.com/index.php?page=security-notices"
        },
        {
          "url": "https://www.suse.com/support/kb/doc/?id=000021980"
        },
        {
          "url": "https://gitlab.isc.org/isc-projects/bind9/-/issues/5325"
        },
        {
          "url": "https://github.com/h2o/h2o/security/advisories/GHSA-mrjm-qq9m-9mjq"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CVE-2025-8671",
      "x_generator": {
        "engine": "VINCE 3.0.22",
        "env": "prod",
        "origin": "https://cveawg.mitre.org/api/cve/CVE-2025-8671"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2025-8671",
    "datePublished": "2025-08-13T12:03:37.167Z",
    "dateReserved": "2025-08-06T11:52:46.667Z",
    "dateUpdated": "2025-08-17T14:26:49.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-48989 (GCVE-0-2025-48989)

Vulnerability from cvelistv5

Published

2025-08-13 12:11

Modified

2025-08-13 19:56

Severity ?

CWE

CWE-404 - Improper Resource Shutdown or Release

Summary

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

References

▼	URL	Tags
	https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Version: 11.0.0-M1 ≤ 11.0.9 Version: 10.1.0-M1 ≤ 10.1.43 Version: 9.0.0.M1 ≤ 9.0.107

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48989",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T18:37:15.707400Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T19:56:35.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.9",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.43",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.107",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "unknown",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "CWE-404 Improper Resource Shutdown or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-13T12:11:26.124Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: h2 DoS - Made You Reset",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-48989",
    "datePublished": "2025-08-13T12:11:26.124Z",
    "dateReserved": "2025-05-29T15:25:37.243Z",
    "dateUpdated": "2025-08-13T19:56:35.999Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-55163 (GCVE-0-2025-55163)

Vulnerability from cvelistv5

Published

2025-08-13 14:17

Modified

2025-08-13 14:37

Severity ?

8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

References

▼	URL	Tags
	https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	netty	netty	Version: < 4.1.124.Final Version: < 4.2.4.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55163",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T14:37:06.148395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T14:37:20.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.124.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.2.4.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-13T14:17:36.111Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
        }
      ],
      "source": {
        "advisory": "GHSA-prj3-ccx8-p6x4",
        "discovery": "UNKNOWN"
      },
      "title": "Netty MadeYouReset HTTP/2 DDoS Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55163",
    "datePublished": "2025-08-13T14:17:36.111Z",
    "dateReserved": "2025-08-07T18:27:23.307Z",
    "dateUpdated": "2025-08-13T14:37:20.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

wid-sec-w-2025-1830

Vulnerability from csaf_certbund

CVE-2025-5115 (GCVE-0-2025-5115)

Vulnerability from cvelistv5

CVE-2025-8671 (GCVE-0-2025-8671)

Vulnerability from cvelistv5

CVE-2025-48989 (GCVE-0-2025-48989)

Vulnerability from cvelistv5

CVE-2025-55163 (GCVE-0-2025-55163)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature