{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22201", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-08T04:59:27.371Z", "datePublished": "2024-02-26T16:13:33.848Z", "dateUpdated": "2024-08-28T14:21:40.015Z"}, "containers": {"cna": {"title": "Jetty connection leaking on idle timeout when TCP congested", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98"}, {"name": "https://github.com/jetty/jetty.project/issues/11256", "tags": ["x_refsource_MISC"], "url": "https://github.com/jetty/jetty.project/issues/11256"}, {"url": "https://security.netapp.com/advisory/ntap-20240329-0001/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/2"}], "affected": [{"vendor": "jetty", "product": "jetty.project", "versions": [{"version": ">= 9.3.0, <= 9.4.53", "status": "affected"}, {"version": ">= 10.0.0, <= 10.0.19", "status": "affected"}, {"version": ">= 11.0.0, <= 11.0.19", "status": "affected"}, {"version": ">= 12.0.0, <= 12.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T16:13:33.848Z"}, "descriptions": [{"lang": "en", "value": "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.\n\n"}], "source": {"advisory": "GHSA-rggv-cv7r-mw98", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.848Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98"}, {"name": "https://github.com/jetty/jetty.project/issues/11256", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jetty/jetty.project/issues/11256"}, {"url": "https://security.netapp.com/advisory/ntap-20240329-0001/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/2", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "jetty", "product": "jetty.project", "cpes": ["cpe:2.3:a:jetty:jetty.project:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.3.0", "status": "affected", "lessThanOrEqual": "9.4.53", "versionType": "custom"}, {"version": "10.0.0", "status": "affected", "lessThanOrEqual": "10.0.19", "versionType": "custom"}, {"version": "11.0.0", "status": "affected", "lessThanOrEqual": "11.0.19", "versionType": "custom"}, {"version": "12.0.0", "status": "affected", "lessThanOrEqual": "12.0.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-01T18:49:17.679314Z", "id": "CVE-2024-22201", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T14:21:40.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", "name": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/jetty/jetty.project/issues/11256", "name": "https://github.com/jetty/jetty.project/issues/11256", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240329-0001/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.848Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22201", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-01T18:49:17.679314Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jetty:jetty.project:*:*:*:*:*:*:*:*"], "vendor": "jetty", "product": "jetty.project", "versions": [{"status": "affected", "version": "9.3.0", "versionType": "custom", "lessThanOrEqual": "9.4.53"}, {"status": "affected", "version": "10.0.0", "versionType": "custom", "lessThanOrEqual": "10.0.19"}, {"status": "affected", "version": "11.0.0", "versionType": "custom", "lessThanOrEqual": "11.0.19"}, {"status": "affected", "version": "12.0.0", "versionType": "custom", "lessThanOrEqual": "12.0.5"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T14:21:13.397Z"}}], "cna": {"title": "Jetty connection leaking on idle timeout when TCP congested", "source": {"advisory": "GHSA-rggv-cv7r-mw98", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "jetty", "product": "jetty.project", "versions": [{"status": "affected", "version": ">= 9.3.0, <= 9.4.53"}, {"status": "affected", "version": ">= 10.0.0, <= 10.0.19"}, {"status": "affected", "version": ">= 11.0.0, <= 11.0.19"}, {"status": "affected", "version": ">= 12.0.0, <= 12.0.5"}]}], "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", "name": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jetty/jetty.project/issues/11256", "name": "https://github.com/jetty/jetty.project/issues/11256", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20240329-0001/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/20/2"}], "descriptions": [{"lang": "en", "value": "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T16:13:33.848Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22201", "state": "PUBLISHED", "dateUpdated": "2024-08-28T14:21:40.015Z", "dateReserved": "2024-01-08T04:59:27.371Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-26T16:13:33.848Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.\n\n"}, {"lang": "es", "value": "Jetty es un servidor web y motor de servlet basado en Java. Una conexi\u00f3n SSL HTTP/2 que est\u00e9 establecida y TCP congestionada se filtrar\u00e1 cuando expire el tiempo de espera. Un atacante puede provocar que muchas conexiones terminen en este estado y que el servidor se quede sin descriptores de archivos, lo que eventualmente provocar\u00e1 que el servidor deje de aceptar nuevas conexiones de clientes v\u00e1lidos. La vulnerabilidad est\u00e1 parcheada en 9.4.54, 10.0.20, 11.0.20 y 12.0.6."}], "id": "CVE-2024-22201", "lastModified": "2024-05-01T18:15:13.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-26T16:27:56.343", "references": [{"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2024/03/20/2"}, {"source": "security-advisories@github.com", "url": "https://github.com/jetty/jetty.project/issues/11256"}, {"source": "security-advisories@github.com", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240329-0001/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3635", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-0:2.440.3.1716445200-3.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3635", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1716445211-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3636", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-0:2.440.3.1716445150-3.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3636", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1716445207-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3634", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-0:2.440.3.1716387933-3.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3634", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1716388016-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:4597", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-0:2.440.3.1718879390-3.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4597", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-2-plugins-0:4.15.1718879538-1.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4884", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.1", "package": "jetty", "product_name": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:4873", "cpe": "cpe:/a:redhat:apicurio_registry:2.6", "package": "jetty", "product_name": "Red Hat build of Apicurio Registry 2.6.1 GA", "release_date": "2024-07-25T00:00:00Z"}], "bugzilla": {"description": "jetty: stop accepting new connections from valid clients", "id": "2266136", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266136"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.", "A flaw was found in Jetty, a Java based web server and servlet engine. If an HTTP/2 connection gets TCP congested, it remains open and idle, and connections may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-22201", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "jetty", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "jetty", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "jetty", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "jetty", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "jetty", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "jetty", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "jetty", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Will not fix", "package_name": "jetty", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-22201\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22201\nhttps://github.com/jetty/jetty.project/issues/11256\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98"], "statement": "The issue in Jetty where HTTP/2 connections can enter a congested, idle state and potentially exhaust server file descriptors represents a moderate severity due to its impact on system resources and service availability. While the vulnerability requires the deliberate creation of numerous congested connections by an attacker, its exploitation can lead to denial-of-service conditions by consuming all available file descriptors. This scenario could disrupt legitimate client connections and impair server responsiveness.", "threat_severity": "Moderate"}