UBUNTU-CVE-2025-5115

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2025-5115
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-5115.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-5115
Upstream
Published
2025-08-20T20:15:00Z
Modified
2025-09-08T17:06:50Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H CVSS Calculator
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RSTSTREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOWUPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-windowupdate , the server should send a RSTSTREAM frame. The client can now open another stream and send another bad WINDOWUPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RSTSTREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h

References

Affected packages

Ubuntu:22.04:LTS

jetty9

Package

Name
jetty9
Purl
pkg:deb/ubuntu/jetty9@9.4.45-1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.39-3
9.4.44-2
9.4.44-3
9.4.44-4
9.4.45-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "9.4.45-1",
            "binary_name": "jetty9"
        },
        {
            "binary_version": "9.4.45-1",
            "binary_name": "libjetty9-extra-java"
        },
        {
            "binary_version": "9.4.45-1",
            "binary_name": "libjetty9-java"
        }
    ]
}

Ubuntu:24.04:LTS

jetty9

Package

Name
jetty9
Purl
pkg:deb/ubuntu/jetty9@9.4.53-1?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.51-2
9.4.53-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "9.4.53-1",
            "binary_name": "jetty9"
        },
        {
            "binary_version": "9.4.53-1",
            "binary_name": "libjetty9-extra-java"
        },
        {
            "binary_version": "9.4.53-1",
            "binary_name": "libjetty9-java"
        }
    ]
}

Ubuntu:25.04

jetty9

Package

Name
jetty9
Purl
pkg:deb/ubuntu/jetty9@9.4.56-1?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.55-1
9.4.56-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "9.4.56-1",
            "binary_name": "jetty9"
        },
        {
            "binary_version": "9.4.56-1",
            "binary_name": "libjetty9-extra-java"
        },
        {
            "binary_version": "9.4.56-1",
            "binary_name": "libjetty9-java"
        }
    ]
}

Ubuntu:Pro:14.04:LTS

jetty

Package

Name
jetty
Purl
pkg:deb/ubuntu/jetty@6.1.26-1ubuntu1.2?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.26-1ubuntu1
6.1.26-1ubuntu1.1
6.1.26-1ubuntu1.2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "6.1.26-1ubuntu1.2",
            "binary_name": "jetty"
        },
        {
            "binary_version": "6.1.26-1ubuntu1.2",
            "binary_name": "libjetty-extra"
        },
        {
            "binary_version": "6.1.26-1ubuntu1.2",
            "binary_name": "libjetty-extra-java"
        },
        {
            "binary_version": "6.1.26-1ubuntu1.2",
            "binary_name": "libjetty-java"
        }
    ]
}

Ubuntu:Pro:16.04:LTS

jetty

Package

Name
jetty
Purl
pkg:deb/ubuntu/jetty@6.1.26-5ubuntu0.1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.26-5
6.1.26-5ubuntu0.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "6.1.26-5ubuntu0.1",
            "binary_name": "libjetty-extra"
        },
        {
            "binary_version": "6.1.26-5ubuntu0.1",
            "binary_name": "libjetty-extra-java"
        },
        {
            "binary_version": "6.1.26-5ubuntu0.1",
            "binary_name": "libjetty-java"
        }
    ]
}

jetty9

Package

Name
jetty9
Purl
pkg:deb/ubuntu/jetty9@9.2.14-1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.2.14-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "9.2.14-1",
            "binary_name": "jetty9"
        },
        {
            "binary_version": "9.2.14-1",
            "binary_name": "libjetty9-extra-java"
        },
        {
            "binary_version": "9.2.14-1",
            "binary_name": "libjetty9-java"
        }
    ]
}

Ubuntu:Pro:18.04:LTS

jetty9

Package

Name
jetty9
Purl
pkg:deb/ubuntu/jetty9@9.4.15-1~18.04.1ubuntu1?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.2.22-2
9.2.22-3
9.2.23-1
9.4.15-1~18.04.1ubuntu1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "9.4.15-1~18.04.1ubuntu1",
            "binary_name": "jetty9"
        },
        {
            "binary_version": "9.4.15-1~18.04.1ubuntu1",
            "binary_name": "libjetty9-extra-java"
        },
        {
            "binary_version": "9.4.15-1~18.04.1ubuntu1",
            "binary_name": "libjetty9-java"
        }
    ]
}

Ubuntu:Pro:20.04:LTS

jetty9

Package

Name
jetty9
Purl
pkg:deb/ubuntu/jetty9@9.4.26-1?arch=source&distro=esm-apps/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.4.18-2build2
9.4.26-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "9.4.26-1",
            "binary_name": "jetty9"
        },
        {
            "binary_version": "9.4.26-1",
            "binary_name": "libjetty9-extra-java"
        },
        {
            "binary_version": "9.4.26-1",
            "binary_name": "libjetty9-java"
        }
    ]
}