cvelistv5 - cve-2024-6762

CVE-2024-6762 (GCVE-0-2024-6762)

Vulnerability from cvelistv5

Published

2024-10-14 15:07

Modified

2024-10-15 17:42

Severity ?

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Summary

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

References

►

URL

Tags

emo@eclipse.org	https://github.com/jetty/jetty.project/pull/10755	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/pull/10756	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/pull/9715	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/pull/9716	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79	Vendor Advisory
emo@eclipse.org	https://gitlab.eclipse.org/security/cve-assignement/-/issues/24	Issue Tracking, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Eclipse Foundation	Jetty	Version: 10.0.0 ≤ 10.0.17 Version: 11.0.0 ≤ 11.0.17 Version: 12.0.0 ≤ 12.0.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T17:42:42.629742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T17:42:50.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "modules": [
            "jetty-servlets"
          ],
          "packageName": "org.eclipse.jetty:jetty-servlets",
          "product": "Jetty",
          "repo": "https://github.com/jetty/jetty.project",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "10.0.17",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.0.17",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "12.0.3",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lian Kee"
        }
      ],
      "datePublic": "2024-10-14T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eJetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-14T15:07:10.942Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"
        },
        {
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/9715"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/9716"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/10756"
        },
        {
          "url": "https://github.com/jetty/jetty.project/pull/10755"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Jetty  PushSessionCacheFilter can cause remote DoS attacks",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003enot using the PushCacheFilter.  Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\u003c/li\u003e\n\u003cli\u003ereducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\u003c/li\u003e\n\u003cli\u003econfiguring a session cache to use \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\"\u003esession passivation\u003c/a\u003e,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.\u003c/li\u003e\n\u003c/ul\u003e"
            }
          ],
          "value": "The session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\n\n\n\n  *  not using the PushCacheFilter.  Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n  *  reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n  *  configuring a session cache to use  session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2024-6762",
    "datePublished": "2024-10-14T15:07:10.942Z",
    "dateReserved": "2024-07-15T17:35:50.791Z",
    "dateUpdated": "2024-10-15T17:42:50.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-6762\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2024-10-14T16:15:03.930\",\"lastModified\":\"2024-11-08T21:29:51.237\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jetty PushSessionCacheFilter can be exploited by unauthenticated users \\nto launch remote DoS attacks by exhausting the server\u2019s memory.\"},{\"lang\":\"es\",\"value\":\"Jetty PushSessionCacheFilter puede ser explotado por usuarios no autenticados para lanzar ataques DoS remotos agotando la memoria del servidor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.0.18\",\"matchCriteriaId\":\"464A4A99-38E9-4ECD-AD6E-309AABC2F016\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.0.18\",\"matchCriteriaId\":\"823119A8-D743-4EFB-A35A-2821C5960139\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.0.4\",\"matchCriteriaId\":\"FE233C37-A184-44BC-B8C0-40F7B1E7512E\"}]}]}],\"references\":[{\"url\":\"https://github.com/jetty/jetty.project/pull/10755\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jetty/jetty.project/pull/10756\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jetty/jetty.project/pull/9715\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jetty/jetty.project/pull/9716\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.eclipse.org/security/cve-assignement/-/issues/24\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6762\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-15T17:42:42.629742Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-15T17:42:46.395Z\"}}], \"cna\": {\"title\": \"Jetty  PushSessionCacheFilter can cause remote DoS attacks\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Lian Kee\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/jetty/jetty.project\", \"vendor\": \"Eclipse Foundation\", \"modules\": [\"jetty-servlets\"], \"product\": \"Jetty\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.0.17\"}, {\"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.0.17\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"12.0.3\"}], \"packageName\": \"org.eclipse.jetty:jetty-servlets\", \"collectionURL\": \"https://repo.maven.apache.org/maven2/\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-10-14T15:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79\"}, {\"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/24\"}, {\"url\": \"https://github.com/jetty/jetty.project/pull/9715\"}, {\"url\": \"https://github.com/jetty/jetty.project/pull/9716\"}, {\"url\": \"https://github.com/jetty/jetty.project/pull/10756\"}, {\"url\": \"https://github.com/jetty/jetty.project/pull/10755\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"The session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\\n\\n\\n\\n  *  not using the PushCacheFilter.  Push has been deprecated by the \\nvarious IETF specs and early hints responses should be used instead.\\n\\n  *  reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\\n\\n  *  configuring a session cache to use  session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\\n so that sessions are not stored in memory, but rather in a database or \\nfile system that may have significantly more capacity than memory.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003enot using the PushCacheFilter.  Push has been deprecated by the \\nvarious IETF specs and early hints responses should be used instead.\u003c/li\u003e\\n\u003cli\u003ereducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\u003c/li\u003e\\n\u003cli\u003econfiguring a session cache to use \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\\\"\u003esession passivation\u003c/a\u003e,\\n so that sessions are not stored in memory, but rather in a database or \\nfile system that may have significantly more capacity than memory.\u003c/li\u003e\\n\u003c/ul\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jetty PushSessionCacheFilter can be exploited by unauthenticated users \\nto launch remote DoS attacks by exhausting the server\\u2019s memory.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eJetty PushSessionCacheFilter can be exploited by unauthenticated users \\nto launch remote DoS attacks by exhausting the server\\u2019s memory.\u003c/div\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"shortName\": \"eclipse\", \"dateUpdated\": \"2024-10-14T15:07:10.942Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-6762\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-15T17:42:50.434Z\", \"dateReserved\": \"2024-07-15T17:35:50.791Z\", \"assignerOrgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"datePublished\": \"2024-10-14T15:07:10.942Z\", \"assignerShortName\": \"eclipse\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

wid-sec-w-2024-3176

Vulnerability from csaf_certbund

Published

2024-10-14 22:00

Modified

2025-08-06 22:00

Summary

Eclipse Jetty: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Eclipse Jetty ist ein Java-HTTP-Server und Java-Servlet-Container.

Angriff

Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Eclipse Jetty ausnutzen, um einen Denial of Service Angriff zu erzeugen und Daten zu manipulieren.

Betroffene Betriebssysteme

- Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Eclipse Jetty ist ein Java-HTTP-Server und Java-Servlet-Container.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Eclipse Jetty ausnutzen, um einen Denial of Service Angriff zu erzeugen und Daten zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3176 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3176.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3176 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3176"
      },
      {
        "category": "external",
        "summary": "Jetty Advisory vom 2024-10-14",
        "url": "https://www.eclipse.org//lists/jetty-announce/msg00193.html"
      },
      {
        "category": "external",
        "summary": "Jetty Advisory vom 2024-10-14",
        "url": "https://www.eclipse.org//lists/jetty-announce/msg00194.html"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory vom 2024-10-14",
        "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:3720-1 vom 2024-10-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/O3QVMQNMY7KSISCQZHRID4KVIGDCRX47/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2024:14408-1 vom 2024-10-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BNU3R7DW4USCKK4UHDLFZ57HXWYZNOCE/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:9571 vom 2024-11-13",
        "url": "https://access.redhat.com/errata/RHSA-2024:9571"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7176904 vom 2024-12-06",
        "url": "https://www.ibm.com/support/pages/node/7176904"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:11023 vom 2024-12-12",
        "url": "https://access.redhat.com/errata/RHSA-2024:11023"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2024-2702 vom 2024-12-20",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2702.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7183584 vom 2025-02-18",
        "url": "https://www.ibm.com/support/pages/node/7183584"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2416 vom 2025-03-05",
        "url": "https://access.redhat.com/errata/RHSA-2025:2416"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20250306-0006 vom 2025-03-06",
        "url": "https://security.netapp.com/advisory/ntap-20250306-0006/"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20250306-0005 vom 2025-03-06",
        "url": "https://security.netapp.com/advisory/ntap-20250306-0005/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7229444 vom 2025-03-28",
        "url": "https://www.ibm.com/support/pages/node/7229444"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4106 vom 2025-04-02",
        "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5894 vom 2025-04-05",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00056.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7231640 vom 2025-04-23",
        "url": "https://www.ibm.com/support/pages/node/7231640"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7232032 vom 2025-04-29",
        "url": "https://www.ibm.com/support/pages/node/7232032"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin",
        "url": "https://www.ibm.com/support/pages/node/7234827"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15160-1 vom 2025-05-27",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YHGGC7B6PWN2UBH367C4SXP6PWNDYAXM/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:01738-1 vom 2025-05-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4ULIFKC3HN46CWW5I3UU5DGUJKMLM6UC/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:9922 vom 2025-06-30",
        "url": "https://access.redhat.com/errata/RHSA-2025:9922"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:12511 vom 2025-08-03",
        "url": "https://access.redhat.com/errata/RHSA-2025:12511"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7241577 vom 2025-08-06",
        "url": "https://www.ibm.com/support/pages/node/7241577"
      }
    ],
    "source_lang": "en-US",
    "title": "Eclipse Jetty: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-08-06T22:00:00.000+00:00",
      "generator": {
        "date": "2025-08-07T08:49:35.752+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2024-3176",
      "initial_release_date": "2024-10-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-10-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-10-17T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-10-20T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2024-11-13T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-12-05T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-12-12T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-12-19T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-02-18T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-03-05T23:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-06T23:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von NetApp aufgenommen"
        },
        {
          "date": "2025-03-30T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-01T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-04-06T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-04-23T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-28T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-05-27T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von IBM und openSUSE aufgenommen"
        },
        {
          "date": "2025-05-29T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-06-30T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-08-03T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-08-06T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "20"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c12.0.9",
                "product": {
                  "name": "Eclipse Jetty \u003c12.0.9",
                  "product_id": "T038318"
                }
              },
              {
                "category": "product_version",
                "name": "12.0.9",
                "product": {
                  "name": "Eclipse Jetty 12.0.9",
                  "product_id": "T038318-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:12.0.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.0.24",
                "product": {
                  "name": "Eclipse Jetty \u003c10.0.24",
                  "product_id": "T038319"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.24",
                "product": {
                  "name": "Eclipse Jetty 10.0.24",
                  "product_id": "T038319-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:10.0.24"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.24",
                "product": {
                  "name": "Eclipse Jetty \u003c11.0.24",
                  "product_id": "T038320"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.24",
                "product": {
                  "name": "Eclipse Jetty 11.0.24",
                  "product_id": "T038320-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:11.0.24"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.4.56",
                "product": {
                  "name": "Eclipse Jetty \u003c9.4.56",
                  "product_id": "T038321"
                }
              },
              {
                "category": "product_version",
                "name": "9.4.56",
                "product": {
                  "name": "Eclipse Jetty 9.4.56",
                  "product_id": "T038321-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:9.4.56"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c12.0.3",
                "product": {
                  "name": "Eclipse Jetty \u003c12.0.3",
                  "product_id": "T038322"
                }
              },
              {
                "category": "product_version",
                "name": "12.0.3",
                "product": {
                  "name": "Eclipse Jetty 12.0.3",
                  "product_id": "T038322-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:12.0.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.4.54",
                "product": {
                  "name": "Eclipse Jetty \u003c9.4.54",
                  "product_id": "T038323"
                }
              },
              {
                "category": "product_version",
                "name": "9.4.54",
                "product": {
                  "name": "Eclipse Jetty 9.4.54",
                  "product_id": "T038323-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:9.4.54"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.0.18",
                "product": {
                  "name": "Eclipse Jetty \u003c10.0.18",
                  "product_id": "T038324"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.18",
                "product": {
                  "name": "Eclipse Jetty 10.0.18",
                  "product_id": "T038324-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:10.0.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.18",
                "product": {
                  "name": "Eclipse Jetty \u003c11.0.18",
                  "product_id": "T038325"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.18",
                "product": {
                  "name": "Eclipse Jetty 11.0.18",
                  "product_id": "T038325-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:11.0.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c12.0.4",
                "product": {
                  "name": "Eclipse Jetty \u003c12.0.4",
                  "product_id": "T038326"
                }
              },
              {
                "category": "product_version",
                "name": "12.0.4",
                "product": {
                  "name": "Eclipse Jetty 12.0.4",
                  "product_id": "T038326-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:12.0.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c12.0.12",
                "product": {
                  "name": "Eclipse Jetty \u003c12.0.12",
                  "product_id": "T038327"
                }
              },
              {
                "category": "product_version",
                "name": "12.0.12",
                "product": {
                  "name": "Eclipse Jetty 12.0.12",
                  "product_id": "T038327-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:eclipse:jetty:12.0.12"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Jetty"
          }
        ],
        "category": "vendor",
        "name": "Eclipse"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM Business Automation Workflow",
            "product": {
              "name": "IBM Business Automation Workflow",
              "product_id": "T019704",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:business_automation_workflow:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.7",
                "product": {
                  "name": "IBM InfoSphere Information Server 11.7",
                  "product_id": "444803",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "InfoSphere Information Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.4-1.10.1.0",
                "product": {
                  "name": "IBM Installation Manager 1.4-1.10.1.0",
                  "product_id": "T043115",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:installation_manager:1.4_-_1.10.1.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Installation Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV8.11.0.1 Interim fix 042",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.11.0.1 Interim fix 042",
                  "product_id": "T043174"
                }
              },
              {
                "category": "product_version",
                "name": "V8.11.0.1 Interim fix 042",
                "product": {
                  "name": "IBM Operational Decision Manager V8.11.0.1 Interim fix 042",
                  "product_id": "T043174-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.11.0.1_interim_fix_042"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV8.11.1.0: Interim fix 039",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.11.1.0: Interim fix 039",
                  "product_id": "T043175"
                }
              },
              {
                "category": "product_version",
                "name": "V8.11.1.0: Interim fix 039",
                "product": {
                  "name": "IBM Operational Decision Manager V8.11.1.0: Interim fix 039",
                  "product_id": "T043175-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.11.1.0_interim_fix_039"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV8.12.0.1: Interim fix 024",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.12.0.1: Interim fix 024",
                  "product_id": "T043176"
                }
              },
              {
                "category": "product_version",
                "name": "V8.12.0.1: Interim fix 024",
                "product": {
                  "name": "IBM Operational Decision Manager V8.12.0.1: Interim fix 024",
                  "product_id": "T043176-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.12.0.1_interim_fix_024"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV9.0.0.1: Interim fix 007",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV9.0.0.1: Interim fix 007",
                  "product_id": "T043177"
                }
              },
              {
                "category": "product_version",
                "name": "V9.0.0.1: Interim fix 007",
                "product": {
                  "name": "IBM Operational Decision Manager V9.0.0.1: Interim fix 007",
                  "product_id": "T043177-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v9.0.0.1_interim_fix_007"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Operational Decision Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP11 IF01",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP11 IF01",
                  "product_id": "T041270"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP11 IF01",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP11 IF01",
                  "product_id": "T041270-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up11_if01"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Collaboration and Deployment Services 8.5",
                "product": {
                  "name": "IBM SPSS Collaboration and Deployment Services 8.5",
                  "product_id": "T038750",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spss:collaboration_and_deployment_services_8.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SPSS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "12",
                "product": {
                  "name": "IBM Security Guardium 12",
                  "product_id": "T043916",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_guardium:sqlguard_12.0p35_bundle_jan-28-2025"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Guardium"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "for Linux",
                "product": {
                  "name": "NetApp ActiveIQ Unified Manager for Linux",
                  "product_id": "T023548",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:netapp:active_iq_unified_manager:for_linux"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for VMware vSphere",
                "product": {
                  "name": "NetApp ActiveIQ Unified Manager for VMware vSphere",
                  "product_id": "T025152",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:netapp:active_iq_unified_manager:for_vmware_vsphere"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for Microsoft Windows",
                "product": {
                  "name": "NetApp ActiveIQ Unified Manager for Microsoft Windows",
                  "product_id": "T025631",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:netapp:active_iq_unified_manager:for_microsoft_windows"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ActiveIQ Unified Manager"
          }
        ],
        "category": "vendor",
        "name": "NetApp"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Streams 2",
                "product": {
                  "name": "Red Hat JBoss A-MQ Streams 2",
                  "product_id": "T041596",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:streams_2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss A-MQ"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-6762",
      "product_status": {
        "known_affected": [
          "T025152",
          "67646",
          "T038324",
          "T038325",
          "T038326",
          "T043916",
          "T038750",
          "T038322",
          "T023548",
          "T043115",
          "2951",
          "T002207",
          "T041270",
          "444803",
          "T019704",
          "T025631",
          "T027843",
          "398363",
          "T043174",
          "T043175",
          "T043176",
          "T041596",
          "T043177"
        ]
      },
      "release_date": "2024-10-14T22:00:00.000+00:00",
      "title": "CVE-2024-6762"
    },
    {
      "cve": "CVE-2024-6763",
      "product_status": {
        "known_affected": [
          "T025152",
          "67646",
          "T038318",
          "T038326",
          "T043916",
          "T038327",
          "T038750",
          "T038322",
          "T023548",
          "T043115",
          "2951",
          "T002207",
          "T041270",
          "444803",
          "T019704",
          "T025631",
          "T027843",
          "398363",
          "T043174",
          "T043175",
          "T043176",
          "T041596",
          "T043177"
        ]
      },
      "release_date": "2024-10-14T22:00:00.000+00:00",
      "title": "CVE-2024-6763"
    },
    {
      "cve": "CVE-2024-8184",
      "product_status": {
        "known_affected": [
          "T025152",
          "67646",
          "T038324",
          "T038325",
          "T038326",
          "T043916",
          "T038320",
          "T038321",
          "T038322",
          "T038323",
          "T025631",
          "398363",
          "T038318",
          "T038319",
          "T038750",
          "T023548",
          "T043115",
          "2951",
          "T002207",
          "T041270",
          "444803",
          "T019704",
          "T027843",
          "T043174",
          "T043175",
          "T043176",
          "T041596",
          "T043177"
        ]
      },
      "release_date": "2024-10-14T22:00:00.000+00:00",
      "title": "CVE-2024-8184"
    },
    {
      "cve": "CVE-2024-9823",
      "product_status": {
        "known_affected": [
          "T025152",
          "67646",
          "T038324",
          "T038325",
          "T043916",
          "T038750",
          "T038322",
          "T038323",
          "T023548",
          "T043115",
          "2951",
          "T002207",
          "T041270",
          "444803",
          "T019704",
          "T025631",
          "T027843",
          "398363",
          "T043174",
          "T043175",
          "T043176",
          "T041596",
          "T043177"
        ]
      },
      "release_date": "2024-10-14T22:00:00.000+00:00",
      "title": "CVE-2024-9823"
    }
  ]
}

fkie_cve-2024-6762

Vulnerability from fkie_nvd

Published

2024-10-14 16:15

Modified

2024-11-08 21:29

Severity ?

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

References

URL	Tags
emo@eclipse.org	https://github.com/jetty/jetty.project/pull/10755	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/pull/10756	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/pull/9715	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/pull/9716	Patch
emo@eclipse.org	https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79	Vendor Advisory
emo@eclipse.org	https://gitlab.eclipse.org/security/cve-assignement/-/issues/24	Issue Tracking, Vendor Advisory

Impacted products

Vendor	Product	Version
eclipse	jetty	*
eclipse	jetty	*
eclipse	jetty	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "464A4A99-38E9-4ECD-AD6E-309AABC2F016",
              "versionEndExcluding": "10.0.18",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "823119A8-D743-4EFB-A35A-2821C5960139",
              "versionEndExcluding": "11.0.18",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE233C37-A184-44BC-B8C0-40F7B1E7512E",
              "versionEndExcluding": "12.0.4",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."
    },
    {
      "lang": "es",
      "value": "Jetty PushSessionCacheFilter puede ser explotado por usuarios no autenticados para lanzar ataques DoS remotos agotando la memoria del servidor."
    }
  ],
  "id": "CVE-2024-6762",
  "lastModified": "2024-11-08T21:29:51.237",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "emo@eclipse.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-14T16:15:03.930",
  "references": [
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jetty/jetty.project/pull/10755"
    },
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jetty/jetty.project/pull/10756"
    },
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jetty/jetty.project/pull/9715"
    },
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jetty/jetty.project/pull/9716"
    },
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"
    },
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"
    }
  ],
  "sourceIdentifier": "emo@eclipse.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "emo@eclipse.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-r7m4-f9h5-gr79

Vulnerability from github

Published

2024-10-14 21:07

Modified

2024-11-08 22:17

Severity ?

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks

Details

Impact

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Patches

https://github.com/jetty/jetty.project/pull/9715
https://github.com/jetty/jetty.project/pull/9716

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by: + not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead. + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory. + configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

References

https://github.com/jetty/jetty.project/pull/10756
https://github.com/jetty/jetty.project/pull/10755

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.17"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-servlets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.17"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-servlets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.0.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-servlets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-14T21:07:29Z",
    "nvd_published_at": "2024-10-14T16:15:03Z",
    "severity": "LOW"
  },
  "details": "### Impact\n Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server\u2019s memory.\n\n### Patches\n* https://github.com/jetty/jetty.project/pull/9715\n* https://github.com/jetty/jetty.project/pull/9716\n\n### Workarounds\nThe session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:\n + not using the PushCacheFilter.  Push has been deprecated by the various IETF specs and early hints responses should be used instead.\n + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n + configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.\n\n### References\n* https://github.com/jetty/jetty.project/pull/10756\n* https://github.com/jetty/jetty.project/pull/10755\n",
  "id": "GHSA-r7m4-f9h5-gr79",
  "modified": "2024-11-08T22:17:54Z",
  "published": "2024-10-14T21:07:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/pull/10755"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/pull/10756"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/pull/9715"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/pull/9716"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jetty/jetty.project"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Eclipse Jetty\u0027s PushSessionCacheFilter can cause remote DoS attacks"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-6762 (GCVE-0-2024-6762)

Vulnerability from cvelistv5

wid-sec-w-2024-3176

Vulnerability from csaf_certbund

fkie_cve-2024-6762

Vulnerability from fkie_nvd

ghsa-r7m4-f9h5-gr79

Vulnerability from github

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature