Uncontrolled Resource Consumption
CVE-2024-22201
Summary
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. This vulnerability affects org.eclipse.jetty.http2:http2-common package versions 9.3.0.M0 through 9.4.53.v20231009, 10.0.0-alpha0 through 10.0.19, and 11.0.0-alpha0 through 11.0.19, org.eclipse.jetty.http2:jetty-http2-common package versions 12.0.0-alpha0 through 12.0.5, org.eclipse.jetty.http3:http3-common package versions 10.0.8 through 10.0.19, and 11.0.8 through 11.0.19, org.eclipse.jetty.http3:jetty-http3-common package versions 12.0.0-alpha0 through 12.0.5, org.eclipse.jetty.quic:quic-common package versions 10.0.8 through 10.0.19, 11.0.8 through 11.0.19, and org.eclipse.jetty.quic:jetty-quic-common package verisons 12.0.0.alpha0 through 12.0.5.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published