Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qMjZ3LWY5cnEtbXIycc4ABAPv
Eclipse Jetty has a denial of service vulnerability on DosFilter
Description
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Vulnerability details
The Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server. The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds. The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.
Impact
Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.
Patches
The DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.
Patched releases:
- 9.4.54
- 10.0.18
- 11.0.18
- 12.0.3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMjZ3LWY5cnEtbXIycc4ABAPv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 1 day ago
Updated: 1 day ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-j26w-f9rq-mr2q, CVE-2024-9823
References:
- https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
- https://nvd.nist.gov/vuln/detail/CVE-2024-9823
- https://github.com/jetty/jetty.project/issues/1256
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/39
- https://github.com/advisories/GHSA-j26w-f9rq-mr2q
Blast Radius: 20.8
Affected Packages
maven:org.eclipse.jetty:jetty-servlets
Dependent packages: 951Dependent repositories: 8,474
Downloads:
Affected Version Ranges: >= 11.0.0, < 11.0.18, >= 10.0.0, < 10.0.18, >= 9.0.0, < 9.4.54
Fixed in: 11.0.18, 10.0.18, 9.4.54
All affected versions: 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 10.0.14, 10.0.15, 10.0.16, 10.0.17, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.0.13, 11.0.14, 11.0.15, 11.0.16, 11.0.17
All unaffected versions: 10.0.18, 10.0.19, 10.0.20, 10.0.21, 10.0.22, 10.0.23, 10.0.24, 11.0.18, 11.0.19, 11.0.20, 11.0.21, 11.0.22, 11.0.23, 11.0.24
maven:org.eclipse.jetty.ee9:jetty-ee9-servlets
Dependent packages: 3Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 12.0.0, < 12.0.3
Fixed in: 12.0.3
All affected versions: 12.0.0, 12.0.1, 12.0.2
All unaffected versions: 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 12.0.11, 12.0.12, 12.0.13
maven:org.eclipse.jetty.ee8:jetty-ee8-servlets
Dependent packages: 3Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 12.0.0, < 12.0.3
Fixed in: 12.0.3
All affected versions: 12.0.0, 12.0.1, 12.0.2
All unaffected versions: 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 12.0.11, 12.0.12, 12.0.13
maven:org.eclipse.jetty.ee10:jetty-ee10-servlets
Dependent packages: 13Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 12.0.0, < 12.0.3
Fixed in: 12.0.3
All affected versions: 12.0.0, 12.0.1, 12.0.2
All unaffected versions: 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8, 12.0.9, 12.0.10, 12.0.11, 12.0.12, 12.0.13, 12.0.14