Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6762", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-07-15T17:35:50.791Z", "datePublished": "2024-10-14T15:07:10.942Z", "dateUpdated": "2024-10-15T17:42:50.434Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "modules": ["jetty-servlets"], "packageName": "org.eclipse.jetty:jetty-servlets", "product": "Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "10.0.17", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "11.0.17", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"lessThanOrEqual": "12.0.3", "status": "affected", "version": "12.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lian Kee"}], "datePublic": "2024-10-14T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory.</div><br>"}], "value": "Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server\u2019s memory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-10-14T15:07:10.942Z"}, "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"}, {"url": "https://github.com/jetty/jetty.project/pull/9715"}, {"url": "https://github.com/jetty/jetty.project/pull/9716"}, {"url": "https://github.com/jetty/jetty.project/pull/10756"}, {"url": "https://github.com/jetty/jetty.project/pull/10755"}], "source": {"discovery": "UNKNOWN"}, "title": "Jetty PushSessionCacheFilter can cause remote DoS attacks", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:</p>\n<ul>\n<li>not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.</li>\n<li>reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.</li>\n<li>configuring a session cache to use <a target=\"_blank\" rel=\"nofollow\" href=\"https://jetty.org/docs/jetty/12/programming-guide/server/session.html\">session passivation</a>,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.</li>\n</ul>"}], "value": "The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\n\n\n\n * not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:42:42.629742Z", "id": "CVE-2024-6762", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:42:50.434Z"}}]}}