CVE-2024-9823

Summary

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationJetty9.0.0 < 9.4.54affected
Eclipse FoundationJetty10.0.0 < 10.0.18affected
Eclipse FoundationJetty11.0.0 < 11.0.18affected
Eclipse JettyJetty12.0.0 < 12.0.3affected
Eclipse JettyJetty12.0.0 < 12.0.3affected
Eclipse JettyJetty12.0.0 < 12.0.3affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

Workarounds

The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.

Sessions can also be configured to have aggressive passivation or inactivation limits.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References