Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nOG01LTcyMnItOHdocc4ABAQX
Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
Impact
Remote DOS attack can cause out of memory
Description
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which
can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By
repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
server's memory.
Affected Versions
- Jetty 12.0.0-12.0.8 (Supported)
- Jetty 11.0.0-11.0.23 (EOL)
- Jetty 10.0.0-10.0.23 (EOL)
- Jetty 9.3.12-9.4.55 (EOL)
Patched Versions
- Jetty 12.0.9
- Jetty 11.0.24
- Jetty 10.0.24
- Jetty 9.4.56
Workarounds
Do not use ThreadLimitHandler.
Consider use of QoSHandler instead to artificially limit resource utilization.
References
Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
Permalink: https://github.com/advisories/GHSA-g8m5-722r-8whqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOG01LTcyMnItOHdocc4ABAQX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 1 day ago
Updated: 1 day ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-g8m5-722r-8whq, CVE-2024-8184
References:
- https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq
- https://nvd.nist.gov/vuln/detail/CVE-2024-8184
- https://github.com/jetty/jetty.project/pull/11723
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/30
- https://github.com/advisories/GHSA-g8m5-722r-8whq
Blast Radius: 26.8
Affected Packages
maven:org.eclipse.jetty:jetty-server
Dependent packages: 3,819Dependent repositories: 34,580
Downloads:
Affected Version Ranges: >= 9.3.12, <= 9.4.55, >= 11.0.0, <= 11.0.23, >= 10.0.0, <= 10.0.23, >= 12.0.0, <= 12.0.8
Fixed in: 9.4.56, 11.0.24, 10.0.24, 12.0.9
All affected versions: 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 10.0.14, 10.0.15, 10.0.16, 10.0.17, 10.0.18, 10.0.19, 10.0.20, 10.0.21, 10.0.22, 10.0.23, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.0.13, 11.0.14, 11.0.15, 11.0.16, 11.0.17, 11.0.18, 11.0.19, 11.0.20, 11.0.21, 11.0.22, 11.0.23, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8
All unaffected versions: 12.0.9, 12.0.10, 12.0.11, 12.0.12