[GHSA-wgh7-54f2-x98r] HTTP/2 HPACK integer overflow and buffer allocation

[ch8matt]

Updates

• Affected products

Comments

• The Maven package org.eclipse.jetty:jetty-http is affected by this vulnerability but was not listed in the original advisory. The Jetty project’s own security announcement confirms that jetty-http contains the vulnerable HPACK implementation and was patched in versions 9.4.53, 10.0.16, and 11.0.16:

-> Jetty advisory: GHSA-wgh7-54f2-x98r
-> Fix release notes: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009

• Confirmed affected versions:

org.eclipse.jetty:jetty-http >=9.3.0, <=9.4.52
org.eclipse.jetty:jetty-http >=10.0.0, <=10.0.15
org.eclipse.jetty:jetty-http >=11.0.0, <=11.0.15

[github]

Hi there @jmcc0nn3ll! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[shelbyc]

👋 Hi @ch8matt, org.eclipse.jetty:jetty-http was removed from the list of affected packages per #2859. According to the PR (from a core maintainer of Eclipse Jetty), org.eclipse.jetty:jetty-http "are where the fixes went, but have no release where those packages are vulnerable." Therefore, I'm going to close this PR and keep the list of affected products that GHSA-wgh7-54f2-x98r has now. Thank you for your interest in GHSA-wgh7-54f2-x98r!