Refine your search
6 vulnerabilities found for Jetty by Eclipse Foundation
CVE-2024-8184 (GCVE-0-2024-8184)
Vulnerability from nvd
Published
2024-10-14 15:09
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Jetty |
Version: 9.3.12 ≤ 9.4.55 Version: 10.0.0 ≤ 10.0.23 Version: 11.0.0 ≤ 11.0.23 Version: 12.0.0 ≤ 12.0.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:41:50.744158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:42:01.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:56.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-server"
],
"packageName": "org.eclipse.jetty:jetty-server",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "9.4.55",
"status": "affected",
"version": "9.3.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.0.23",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.0.23",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "https://github.com/HRsGIT"
}
],
"datePublic": "2024-10-14T03:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There exists a security vulnerability in Jetty\u0027s \u003ccode\u003eThreadLimitHandler.getRemote()\u003c/code\u003e which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.\u003cbr\u003e"
}
],
"value": "There exists a security vulnerability in Jetty\u0027s ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T15:30:02.698Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
},
{
"url": "https://github.com/jetty/jetty.project/pull/11723"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Do not use \u003ccode\u003eThreadLimitHandler\u003c/code\u003e.\u003cbr\u003e\nConsider use of \u003ccode\u003eQoSHandler\u003c/code\u003e instead to artificially limit resource utilization.\u003cbr\u003e"
}
],
"value": "Do not use ThreadLimitHandler.\n\nConsider use of QoSHandler instead to artificially limit resource utilization."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-8184",
"datePublished": "2024-10-14T15:09:37.861Z",
"dateReserved": "2024-08-26T15:58:44.006Z",
"dateUpdated": "2025-11-03T19:34:56.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6762 (GCVE-0-2024-6762)
Vulnerability from nvd
Published
2024-10-14 15:07
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Jetty PushSessionCacheFilter can be exploited by unauthenticated users
to launch remote DoS attacks by exhausting the server’s memory.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Jetty |
Version: 10.0.0 ≤ 10.0.17 Version: 11.0.0 ≤ 11.0.17 Version: 12.0.0 ≤ 12.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:42:42.629742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:42:50.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:37.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-servlets"
],
"packageName": "org.eclipse.jetty:jetty-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "10.0.17",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.0.17",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lian Kee"
}
],
"datePublic": "2024-10-14T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eJetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T15:07:10.942Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"
},
{
"url": "https://github.com/jetty/jetty.project/pull/9715"
},
{
"url": "https://github.com/jetty/jetty.project/pull/9716"
},
{
"url": "https://github.com/jetty/jetty.project/pull/10756"
},
{
"url": "https://github.com/jetty/jetty.project/pull/10755"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jetty PushSessionCacheFilter can cause remote DoS attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003enot using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\u003c/li\u003e\n\u003cli\u003ereducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\u003c/li\u003e\n\u003cli\u003econfiguring a session cache to use \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\"\u003esession passivation\u003c/a\u003e,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\n\n\n\n * not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-6762",
"datePublished": "2024-10-14T15:07:10.942Z",
"dateReserved": "2024-07-15T17:35:50.791Z",
"dateUpdated": "2025-11-03T19:34:37.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9823 (GCVE-0-2024-9823)
Vulnerability from nvd
Published
2024-10-14 15:03
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Eclipse Foundation | Jetty |
Version: 9.0.0 Version: 10.0.0 Version: 11.0.0 ≤ |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "jetty",
"vendor": "eclipse",
"versions": [
{
"lessThan": "9.4.54",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "10.0.18",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "11.0.18",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:46:11.062398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:49:38.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:02.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250306-0006/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-servlets"
],
"packageName": "org.eclipse.jetty:jetty-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThan": "9.4.54",
"status": "affected",
"version": "9.0.0",
"versionType": "semvar"
},
{
"lessThan": "10.0.18",
"status": "affected",
"version": "10.0.0",
"versionType": "semvar"
},
{
"lessThan": "11.0.18",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-ee8-servlets"
],
"packageName": "org.eclipse.jetty.ee8:jetty-ee8-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Jetty",
"versions": [
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semvar"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-ee9-servlets"
],
"packageName": "org.eclipse.jetty.ee8:jetty-ee9-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Jetty",
"versions": [
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-ee10-servlets"
],
"packageName": "org.eclipse.jetty.ee8:jetty-ee10-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Jetty",
"versions": [
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semvar"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lian Kee"
}
],
"datePublic": "2024-10-14T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There exists a security vulnerability in Jetty\u0027s DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory finally.\u003cbr\u003e"
}
],
"value": "There exists a security vulnerability in Jetty\u0027s DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory finally."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T15:29:14.390Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
},
{
"url": "https://github.com/jetty/jetty.project/issues/1256"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jetty DOS vulnerability on DosFilter",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \u003ccode\u003eDoSFilter\u003c/code\u003e can be configured to not use sessions for tracking usage by setting the \u003ccode\u003etrackSessions\u003c/code\u003e init parameter to \u003ccode\u003efalse\u003c/code\u003e. This will then use only the IP tracking mechanism, which is not vulnerable.\u003cbr\u003e\nSessions can also be configured to have aggressive passivation or inactivation limits.\u003cbr\u003e"
}
],
"value": "The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.\n\nSessions can also be configured to have aggressive passivation or inactivation limits."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-9823",
"datePublished": "2024-10-14T15:03:02.293Z",
"dateReserved": "2024-10-10T15:56:32.744Z",
"dateUpdated": "2025-11-03T19:35:02.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8184 (GCVE-0-2024-8184)
Vulnerability from cvelistv5
Published
2024-10-14 15:09
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Jetty |
Version: 9.3.12 ≤ 9.4.55 Version: 10.0.0 ≤ 10.0.23 Version: 11.0.0 ≤ 11.0.23 Version: 12.0.0 ≤ 12.0.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:41:50.744158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:42:01.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:56.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-server"
],
"packageName": "org.eclipse.jetty:jetty-server",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "9.4.55",
"status": "affected",
"version": "9.3.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.0.23",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.0.23",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.0.8",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "https://github.com/HRsGIT"
}
],
"datePublic": "2024-10-14T03:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There exists a security vulnerability in Jetty\u0027s \u003ccode\u003eThreadLimitHandler.getRemote()\u003c/code\u003e which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.\u003cbr\u003e"
}
],
"value": "There exists a security vulnerability in Jetty\u0027s ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T15:30:02.698Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
},
{
"url": "https://github.com/jetty/jetty.project/pull/11723"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Do not use \u003ccode\u003eThreadLimitHandler\u003c/code\u003e.\u003cbr\u003e\nConsider use of \u003ccode\u003eQoSHandler\u003c/code\u003e instead to artificially limit resource utilization.\u003cbr\u003e"
}
],
"value": "Do not use ThreadLimitHandler.\n\nConsider use of QoSHandler instead to artificially limit resource utilization."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-8184",
"datePublished": "2024-10-14T15:09:37.861Z",
"dateReserved": "2024-08-26T15:58:44.006Z",
"dateUpdated": "2025-11-03T19:34:56.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6762 (GCVE-0-2024-6762)
Vulnerability from cvelistv5
Published
2024-10-14 15:07
Modified
2025-11-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Jetty PushSessionCacheFilter can be exploited by unauthenticated users
to launch remote DoS attacks by exhausting the server’s memory.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Jetty |
Version: 10.0.0 ≤ 10.0.17 Version: 11.0.0 ≤ 11.0.17 Version: 12.0.0 ≤ 12.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:42:42.629742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:42:50.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:37.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-servlets"
],
"packageName": "org.eclipse.jetty:jetty-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "10.0.17",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.0.17",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lian Kee"
}
],
"datePublic": "2024-10-14T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eJetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T15:07:10.942Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"
},
{
"url": "https://github.com/jetty/jetty.project/pull/9715"
},
{
"url": "https://github.com/jetty/jetty.project/pull/9716"
},
{
"url": "https://github.com/jetty/jetty.project/pull/10756"
},
{
"url": "https://github.com/jetty/jetty.project/pull/10755"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jetty PushSessionCacheFilter can cause remote DoS attacks",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003enot using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\u003c/li\u003e\n\u003cli\u003ereducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\u003c/li\u003e\n\u003cli\u003econfiguring a session cache to use \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\"\u003esession passivation\u003c/a\u003e,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.\u003c/li\u003e\n\u003c/ul\u003e"
}
],
"value": "The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\n\n\n\n * not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-6762",
"datePublished": "2024-10-14T15:07:10.942Z",
"dateReserved": "2024-07-15T17:35:50.791Z",
"dateUpdated": "2025-11-03T19:34:37.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9823 (GCVE-0-2024-9823)
Vulnerability from cvelistv5
Published
2024-10-14 15:03
Modified
2025-11-03 19:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Eclipse Foundation | Jetty |
Version: 9.0.0 Version: 10.0.0 Version: 11.0.0 ≤ |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "jetty",
"vendor": "eclipse",
"versions": [
{
"lessThan": "9.4.54",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "10.0.18",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "11.0.18",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:46:11.062398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:49:38.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:02.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250306-0006/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-servlets"
],
"packageName": "org.eclipse.jetty:jetty-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThan": "9.4.54",
"status": "affected",
"version": "9.0.0",
"versionType": "semvar"
},
{
"lessThan": "10.0.18",
"status": "affected",
"version": "10.0.0",
"versionType": "semvar"
},
{
"lessThan": "11.0.18",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-ee8-servlets"
],
"packageName": "org.eclipse.jetty.ee8:jetty-ee8-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Jetty",
"versions": [
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semvar"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-ee9-servlets"
],
"packageName": "org.eclipse.jetty.ee8:jetty-ee9-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Jetty",
"versions": [
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-ee10-servlets"
],
"packageName": "org.eclipse.jetty.ee8:jetty-ee10-servlets",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Jetty",
"versions": [
{
"lessThan": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "semvar"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lian Kee"
}
],
"datePublic": "2024-10-14T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There exists a security vulnerability in Jetty\u0027s DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory finally.\u003cbr\u003e"
}
],
"value": "There exists a security vulnerability in Jetty\u0027s DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory finally."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T15:29:14.390Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
},
{
"url": "https://github.com/jetty/jetty.project/issues/1256"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jetty DOS vulnerability on DosFilter",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \u003ccode\u003eDoSFilter\u003c/code\u003e can be configured to not use sessions for tracking usage by setting the \u003ccode\u003etrackSessions\u003c/code\u003e init parameter to \u003ccode\u003efalse\u003c/code\u003e. This will then use only the IP tracking mechanism, which is not vulnerable.\u003cbr\u003e\nSessions can also be configured to have aggressive passivation or inactivation limits.\u003cbr\u003e"
}
],
"value": "The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.\n\nSessions can also be configured to have aggressive passivation or inactivation limits."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-9823",
"datePublished": "2024-10-14T15:03:02.293Z",
"dateReserved": "2024-10-10T15:56:32.744Z",
"dateUpdated": "2025-11-03T19:35:02.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}