{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6762", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-07-15T17:35:50.791Z", "datePublished": "2024-10-14T15:07:10.942Z", "dateUpdated": "2024-10-15T17:42:50.434Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "modules": ["jetty-servlets"], "packageName": "org.eclipse.jetty:jetty-servlets", "product": "Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "10.0.17", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "11.0.17", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"lessThanOrEqual": "12.0.3", "status": "affected", "version": "12.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lian Kee"}], "datePublic": "2024-10-14T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.</div><br>"}], "value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-10-14T15:07:10.942Z"}, "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"}, {"url": "https://github.com/jetty/jetty.project/pull/9715"}, {"url": "https://github.com/jetty/jetty.project/pull/9716"}, {"url": "https://github.com/jetty/jetty.project/pull/10756"}, {"url": "https://github.com/jetty/jetty.project/pull/10755"}], "source": {"discovery": "UNKNOWN"}, "title": "Jetty PushSessionCacheFilter can cause remote DoS attacks", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:</p>\n<ul>\n<li>not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.</li>\n<li>reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.</li>\n<li>configuring a session cache to use <a target=\"_blank\" rel=\"nofollow\" href=\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\">session passivation</a>,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.</li>\n</ul>"}], "value": "The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\n\n\n\n * not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:42:42.629742Z", "id": "CVE-2024-6762", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:42:50.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-15T17:42:42.629742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:42:46.395Z"}}], "cna": {"title": "Jetty PushSessionCacheFilter can cause remote DoS attacks", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Lian Kee"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "modules": ["jetty-servlets"], "product": "Jetty", "versions": [{"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.17"}, {"status": "affected", "version": "11.0.0", "versionType": "semver", "lessThanOrEqual": "11.0.17"}, {"status": "affected", "version": "12.0.0", "versionType": "semver", "lessThanOrEqual": "12.0.3"}], "packageName": "org.eclipse.jetty:jetty-servlets", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "datePublic": "2024-10-14T15:00:00.000Z", "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"}, {"url": "https://github.com/jetty/jetty.project/pull/9715"}, {"url": "https://github.com/jetty/jetty.project/pull/9716"}, {"url": "https://github.com/jetty/jetty.project/pull/10756"}, {"url": "https://github.com/jetty/jetty.project/pull/10755"}], "workarounds": [{"lang": "en", "value": "The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\n\n\n\n * not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.", "supportingMedia": [{"type": "text/html", "value": "<p>The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:</p>\n<ul>\n<li>not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.</li>\n<li>reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.</li>\n<li>configuring a session cache to use <a target=\"_blank\" rel=\"nofollow\" href=\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\">session passivation</a>,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.</li>\n</ul>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.", "supportingMedia": [{"type": "text/html", "value": "<div>Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.</div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-10-14T15:07:10.942Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6762", "state": "PUBLISHED", "dateUpdated": "2024-10-15T17:42:50.434Z", "dateReserved": "2024-07-15T17:35:50.791Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2024-10-14T15:07:10.942Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "464A4A99-38E9-4ECD-AD6E-309AABC2F016", "versionEndExcluding": "10.0.18", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "823119A8-D743-4EFB-A35A-2821C5960139", "versionEndExcluding": "11.0.18", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE233C37-A184-44BC-B8C0-40F7B1E7512E", "versionEndExcluding": "12.0.4", "versionStartIncluding": "12.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."}, {"lang": "es", "value": "Jetty PushSessionCacheFilter puede ser explotado por usuarios no autenticados para lanzar ataques DoS remotos agotando la memoria del servidor."}], "id": "CVE-2024-6762", "lastModified": "2024-11-08T21:29:51.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2024-10-14T16:15:03.930", "references": [{"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/jetty/jetty.project/pull/10755"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/jetty/jetty.project/pull/10756"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/jetty/jetty.project/pull/9715"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/jetty/jetty.project/pull/9716"}, {"source": "emo@eclipse.org", "tags": ["Vendor Advisory"], "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"}, {"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.eclipse.jetty:jetty-servlets: jetty: Jetty PushSessionCacheFilter can cause remote DoS attacks", "id": "2318562", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318562"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.", "A flaw was found in Jetty. In certain circumstances, this flaw allows unauthenticated users to launch remote denial of service (DoS) attacks by exhausting the server\u2019s memory in the Jetty PushSessionCacheFilter."], "name": "CVE-2024-6762", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "streams for Apache Kafka"}], "public_date": "2024-10-14T15:07:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-6762\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6762\nhttps://github.com/jetty/jetty.project/pull/10755\nhttps://github.com/jetty/jetty.project/pull/10756\nhttps://github.com/jetty/jetty.project/pull/9715\nhttps://github.com/jetty/jetty.project/pull/9716\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/24"], "threat_severity": "Low"}