{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1605", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2026-01-29T10:58:31.963Z", "datePublished": "2026-03-05T09:39:01.315Z", "dateUpdated": "2026-03-05T14:46:16.289Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Eclipse Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "12.0.31", "status": "affected", "version": "12.0.0", "versionType": "semver"}, {"lessThanOrEqual": "12.1.5", "status": "affected", "version": "12.1.0.", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gleb Sizov (@glebashnik)"}, {"lang": "en", "type": "finder", "value": "Bj\u00f8rn Christian Seime (@bjorncs)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class <code>GzipHandler</code> exposes a vulnerability when a compressed HTTP request, with <code>Content-Encoding: gzip</code>, is processed and the corresponding response is not compressed.</p>\n<p>This happens because the JDK <code>Inflater</code> is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.</p>"}], "value": "In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.\n\n\nThis happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-03-05T09:39:01.315Z"}, "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T14:46:07.126962Z", "id": "CVE-2026-1605", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:46:16.289Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1605", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2026-01-29T10:58:31.963Z", "datePublished": "2026-03-05T09:39:01.315Z", "dateUpdated": "2026-03-05T14:46:16.289Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Eclipse Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "12.0.31", "status": "affected", "version": "12.0.0", "versionType": "semver"}, {"lessThanOrEqual": "12.1.5", "status": "affected", "version": "12.1.0.", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gleb Sizov (@glebashnik)"}, {"lang": "en", "type": "finder", "value": "Bj\u00f8rn Christian Seime (@bjorncs)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class <code>GzipHandler</code> exposes a vulnerability when a compressed HTTP request, with <code>Content-Encoding: gzip</code>, is processed and the corresponding response is not compressed.</p>\n<p>This happens because the JDK <code>Inflater</code> is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.</p>"}], "value": "In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.\n\n\nThis happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-03-05T09:39:01.315Z"}, "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T14:46:07.126962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:46:13.125Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.\n\n\nThis happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak."}], "id": "CVE-2026-1605", "lastModified": "2026-03-05T19:38:33.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2026-03-05T10:15:56.890", "references": [{"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-401"}], "source": "emo@eclipse.org", "type": "Primary"}]}

{"bugzilla": {"description": "org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests", "id": "2444815", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444815"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the server's response is not compressed. This prevents the release of the JDK Inflater, leading to a resource leak. This resource exhaustion can result in a Denial of Service (DoS), making the server unavailable to legitimate users."], "name": "CVE-2026-1605", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "maven-wagon", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "jmc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:offline_knowledge_portal:1", "fix_state": "Not affected", "package_name": "offline-knowledge-portal/rhokp-rhel9", "product_name": "Red Hat Offline Knowledge Portal"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:el8/puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-03-05T09:39:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1605\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1605\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"], "threat_severity": "Important"}