Allocation of Resources Without Limits or Throttling

Summary

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. This vulnerability affects org.eclipse.jetty.http2:http2-common package versions 9.3.0.M0 through 9.4.53.v20231009, 10.0.0-alpha0 through 10.0.19, and 11.0.0-alpha0 through 11.0.19, org.eclipse.jetty.http2:jetty-http2-common package versions 12.0.0-alpha0 through 12.0.5, org.eclipse.jetty.http3:http3-common package versions 10.0.8 through 10.0.19, and 11.0.8 through 11.0.19, org.eclipse.jetty.http3:jetty-http3-common package versions 12.0.0-alpha0 through 12.0.5, org.eclipse.jetty.quic:quic-common package versions 10.0.8 through 10.0.19, 11.0.8 through 11.0.19, and org.eclipse.jetty.quic:jetty-quic-common package verisons 12.0.0.alpha0 through 12.0.5.