Overview
This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.
Vulnerability Details
- CVE ID: CVE-2026-1605
- Dependency Name: jetty-server
- Affected Version of Dependency: 12.0.0-12.0.31, 12.1.0-12.1.5
- Severity Score: CNA 7.5 High
Affected Versions of DPGW
- 1.13.13-REL – 1.13.16-REL
- 1.12.09-REL – 1.12.39-REL
- 1.11.16-REL – 1.11.43-REL
Risk Assessment & Applicability
Usage
DPGW utilizes the Jetty as the webserver to handle all clients.
Analysis
Vulnerability is directly linked to the webserver and it does not require any kind of authorization to perform this attack. In case where webserver port(s) is reachable from the external network (internet), anybody can crash the DPGW on sending malicious HTTP request.
Status
Affected
Severity Score in the context of DPGW: 8.7 High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Impact on DPGW
If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: crash of JVM leading to temporary unavailability of the service.
Remediation & Mitigations
Fix
Update to: 1.13.17-REL or newer, 1.12.40-REL or newer, 1.11.44-REL or newer.
User Actions
Users can mitigate this vulnerability by disabling gzip compression in dpgw.xml