{
  "threat_severity" : "Important",
  "public_date" : "2025-05-08T17:48:40Z",
  "bugzilla" : {
    "description" : "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
    "id" : "2365137",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.\nThe Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.", "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter." ],
  "affected_release" : [ {
    "product_name" : "OCP-Tools-4.12-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10118",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8",
    "package" : "jenkins-0:2.504.2.1750932984-3.el8"
  }, {
    "product_name" : "OCP-Tools-4.12-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10118",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8",
    "package" : "jenkins-2-plugins-0:4.12.1750933270-1.el8"
  }, {
    "product_name" : "OCP-Tools-4.13-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10119",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8",
    "package" : "jenkins-0:2.504.2.1750916374-3.el8"
  }, {
    "product_name" : "OCP-Tools-4.13-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10119",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8",
    "package" : "jenkins-2-plugins-0:4.13.1750916671-1.el8"
  }, {
    "product_name" : "OCP-Tools-4.14-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10120",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8",
    "package" : "jenkins-0:2.504.2.1750903189-3.el8"
  }, {
    "product_name" : "OCP-Tools-4.14-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10120",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8",
    "package" : "jenkins-2-plugins-0:4.14.1750903529-1.el8"
  }, {
    "product_name" : "OCP-Tools-4.15-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10104",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8",
    "package" : "jenkins-0:2.504.2.1750856366-3.el8"
  }, {
    "product_name" : "OCP-Tools-4.15-RHEL-8",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10104",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8",
    "package" : "jenkins-2-plugins-0:4.15.1750856638-1.el8"
  }, {
    "product_name" : "OCP-Tools-4.16-RHEL-9",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10098",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9",
    "package" : "jenkins-0:2.504.2.1750857144-3.el9"
  }, {
    "product_name" : "OCP-Tools-4.16-RHEL-9",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10098",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9",
    "package" : "jenkins-2-plugins-0:4.16.1750857315-1.el9"
  }, {
    "product_name" : "OCP-Tools-4.17-RHEL-9",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10097",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9",
    "package" : "jenkins-0:2.504.2.1750851690-3.el9"
  }, {
    "product_name" : "OCP-Tools-4.17-RHEL-9",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10097",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9",
    "package" : "jenkins-2-plugins-0:4.17.1750851950-1.el9"
  }, {
    "product_name" : "OCP-Tools-4.18-RHEL-9",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10092",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9",
    "package" : "jenkins-0:2.504.2.1750846524-3.el9"
  }, {
    "product_name" : "OCP-Tools-4.18-RHEL-9",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10092",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9",
    "package" : "jenkins-2-plugins-0:4.18.1750846854-1.el9"
  }, {
    "product_name" : "Red Hat AMQ Broker 7.13.1",
    "release_date" : "2025-08-06T00:00:00Z",
    "advisory" : "RHSA-2025:13274",
    "cpe" : "cpe:/a:redhat:amq_broker:7.13",
    "package" : "jetty-http2-common"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4.10.3 for Spring Boot",
    "release_date" : "2025-05-15T00:00:00Z",
    "advisory" : "RHSA-2025:7696",
    "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10.3",
    "package" : "jetty-http2-common"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-1948\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1948\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/56" ],
  "name" : "CVE-2025-1948",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}