CVE-2024-9823
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Eclipse Foundation | Jetty | 9.0.0 < 9.4.54 | affected |
| Eclipse Foundation | Jetty | 10.0.0 < 10.0.18 | affected |
| Eclipse Foundation | Jetty | 11.0.0 < 11.0.18 | affected |
| Eclipse Jetty | Jetty | 12.0.0 < 12.0.3 | affected |
| Eclipse Jetty | Jetty | 12.0.0 < 12.0.3 | affected |
| Eclipse Jetty | Jetty | 12.0.0 < 12.0.3 | affected |
Weaknesses
- CWE-400: CWE-400 Uncontrolled Resource Consumption
Workarounds
The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.
Sessions can also be configured to have aggressive passivation or inactivation limits.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://security.netapp.com/advisory/ntap-20250306-0006/
- https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
References
- https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/39
- https://github.com/jetty/jetty.project/issues/1256
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.