Show plain JSON{"affected_release": [{"advisory": "RHSA-2024:3635", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-0:2.440.3.1716445200-3.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3635", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1716445211-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3636", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-0:2.440.3.1716445150-3.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3636", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1716445207-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3634", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-0:2.440.3.1716387933-3.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3634", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1716388016-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:4597", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-0:2.440.3.1718879390-3.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4597", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-2-plugins-0:4.15.1718879538-1.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4884", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.1", "package": "jetty", "product_name": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:4873", "cpe": "cpe:/a:redhat:apicurio_registry:2.6", "package": "jetty", "product_name": "Red Hat build of Apicurio Registry 2.6.1 GA", "release_date": "2024-07-25T00:00:00Z"}], "bugzilla": {"description": "jetty: stop accepting new connections from valid clients", "id": "2266136", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266136"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.", "A flaw was found in Jetty, a Java based web server and servlet engine. If an HTTP/2 connection gets TCP congested, it remains open and idle, and connections may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-22201", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "jetty", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "jetty", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "jetty", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "jetty", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "jetty", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat Integration Camel Quarkus 2"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "jetty", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "jetty", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "jetty", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Will not fix", "package_name": "jetty", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-22201\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22201\nhttps://github.com/jetty/jetty.project/issues/11256\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98"], "statement": "The issue in Jetty where HTTP/2 connections can enter a congested, idle state and potentially exhaust server file descriptors represents a moderate severity due to its impact on system resources and service availability. While the vulnerability requires the deliberate creation of numerous congested connections by an attacker, its exploitation can lead to denial-of-service conditions by consuming all available file descriptors. This scenario could disrupt legitimate client connections and impair server responsiveness.", "threat_severity": "Moderate"}