Bjorncs

**Name of the Vulnerable Software and Affected Versions** Eclipse Jetty versions 12.0.0 through 12.0.16 **Description** The issue arises when an HTTP/2 client specifies a very large value for the HTTP/2 settings parameter `SETTINGS MAX HEADER LIST SIZE`. The Jetty HTTP/2 server fails to validate this setting and attempts to allocate a ByteBuffer of the specified capacity to encode HTTP responses. This can likely result in an OutOfMemoryError being thrown or even cause the JVM process to exit. **Recommendations** For Eclipse Jetty versions 12.0.0 through 12.0.16, consider validating the `SETTINGS MAX HEADER LIST SIZE` parameter to prevent excessively large values from being set, which can help mitigate the risk of OutOfMemoryError or JVM process exit. At the moment, there is no information about a newer version that contains a fix for this vulnerability.