CVE-2024-6762

Summary

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationJetty10.0.0 <= 10.0.17affected
Eclipse FoundationJetty11.0.0 <= 11.0.17affected
Eclipse FoundationJetty12.0.0 <= 12.0.3affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:

  • not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.

  • reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.

  • configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html , so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References