CVE-2024-6762
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Eclipse Foundation | Jetty | 10.0.0 <= 10.0.17 | affected |
| Eclipse Foundation | Jetty | 11.0.0 <= 11.0.17 | affected |
| Eclipse Foundation | Jetty | 12.0.0 <= 12.0.3 | affected |
Weaknesses
- CWE-400: CWE-400 Uncontrolled Resource Consumption
Workarounds
The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:
not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html , so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
- https://github.com/jetty/jetty.project/pull/9715
- https://github.com/jetty/jetty.project/pull/9716
- https://github.com/jetty/jetty.project/pull/10756
- https://github.com/jetty/jetty.project/pull/10755
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.