CVE-2024-9823

Jetty DOS vulnerability on DosFilter

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

MITRE
RedHat

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.

A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.

*Credits: Lian Kee

CVSS Scores

Eclipse Foundationv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-10 CVE Reserved
2024-10-14 CVE Published
2024-10-15 CVE Updated
2024-10-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (5)

URL	Tag	Source
https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
https://gitlab.eclipse.org/security/cve-assignement/-/issues/39
https://github.com/jetty/jetty.project/issues/1256

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-9823	2024-11-13
https://bugzilla.redhat.com/show_bug.cgi?id=2318565	2024-11-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Foundation Search vendor "Eclipse Foundation"		Jetty Search vendor "Eclipse Foundation" for product "Jetty"				>= 9.0.0 < 9.4.54 Search vendor "Eclipse Foundation" for product "Jetty" and version " >= 9.0.0 < 9.4.54"		en		Affected
Eclipse Foundation Search vendor "Eclipse Foundation"		Jetty Search vendor "Eclipse Foundation" for product "Jetty"				>= 10.0.0 < 10.0.18 Search vendor "Eclipse Foundation" for product "Jetty" and version " >= 10.0.0 < 10.0.18"		en		Affected
Eclipse Foundation Search vendor "Eclipse Foundation"		Jetty Search vendor "Eclipse Foundation" for product "Jetty"				>= 11.0.0 < 11.0.18 Search vendor "Eclipse Foundation" for product "Jetty" and version " >= 11.0.0 < 11.0.18"		en		Affected
Eclipse Jetty Search vendor "Eclipse Jetty"		Jetty Search vendor "Eclipse Jetty" for product "Jetty"				>= 12.0.0 < 12.0.3 Search vendor "Eclipse Jetty" for product "Jetty" and version " >= 12.0.0 < 12.0.3"		en		Affected
Eclipse Jetty Search vendor "Eclipse Jetty"		Jetty Search vendor "Eclipse Jetty" for product "Jetty"				>= 12.0.0 < 12.0.3 Search vendor "Eclipse Jetty" for product "Jetty" and version " >= 12.0.0 < 12.0.3"		en		Affected
Eclipse Jetty Search vendor "Eclipse Jetty"		Jetty Search vendor "Eclipse Jetty" for product "Jetty"				>= 12.0.0 < 12.0.3 Search vendor "Eclipse Jetty" for product "Jetty" and version " >= 12.0.0 < 12.0.3"		en		Affected