Uncontrolled Resource Consumption in org.eclipse.jetty.ee10:jetty-ee10-servlets
CVE-2024-9823
- org.eclipse.jetty.ee10:jetty-ee10-servlets
- org.eclipse.jetty.ee8:jetty-ee8-servlets
- org.eclipse.jetty.ee9:jetty-ee9-servlets
- org.eclipse.jetty:jetty-servlets
Summary
There exists a security vulnerability in Jetty's "DosFilter" which can be exploited by unauthorized users to cause remote Denial-of-Service (DoS) attack on the server using "DosFilter". By repeatedly sending crafted requests, attackers can trigger Out-of-Memory errors and exhaust the server's memory finally. This issue affects org.eclipse.jetty.ee8:jetty-ee8-servlets, org.eclipse.jetty.ee9:jetty-ee9-servlets, and org.eclipse.jetty.ee10:jetty-ee10-servlets versions 12.0.0.alpha0 through 12.0.2, and org.eclipse.jetty:jetty-servlets 9.0.0.M0 through 9.4.53, 10.0.0-alpha0 through 10.0.17, and 11.0.0-alpha0 through 11.0.17.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- LOW
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published
