Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yN200LWY5aDUtZ3I3Oc4ABAQW
Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks
Impact
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
Patches
Workarounds
The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:
- not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
- reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
- configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.
References
Permalink: https://github.com/advisories/GHSA-r7m4-f9h5-gr79JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yN200LWY5aDUtZ3I3Oc4ABAQW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 month ago
Updated: 12 days ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-r7m4-f9h5-gr79, CVE-2024-6762
References:
- https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
- https://nvd.nist.gov/vuln/detail/CVE-2024-6762
- https://github.com/jetty/jetty.project/pull/10755
- https://github.com/jetty/jetty.project/pull/10756
- https://github.com/jetty/jetty.project/pull/9715
- https://github.com/jetty/jetty.project/pull/9716
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
- https://github.com/advisories/GHSA-r7m4-f9h5-gr79
Blast Radius: 12.2
Affected Packages
maven:org.eclipse.jetty:jetty-servlets
Dependent packages: 951Dependent repositories: 8,474
Downloads:
Affected Version Ranges: >= 12.0.0, <= 12.0.3, >= 11.0.0, <= 11.0.17, >= 10.0.0, <= 10.0.17
Fixed in: 12.0.4, 11.0.18, 10.0.18
All affected versions: 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 10.0.14, 10.0.15, 10.0.16, 10.0.17, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.0.13, 11.0.14, 11.0.15, 11.0.16, 11.0.17
All unaffected versions: 10.0.18, 10.0.19, 10.0.20, 10.0.21, 10.0.22, 10.0.23, 10.0.24, 11.0.18, 11.0.19, 11.0.20, 11.0.21, 11.0.22, 11.0.23, 11.0.24