{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8184", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-08-26T15:58:44.006Z", "datePublished": "2024-10-14T15:09:37.861Z", "dateUpdated": "2024-10-15T17:42:01.168Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "modules": ["jetty-server"], "packageName": "org.eclipse.jetty:jetty-server", "product": "Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "9.4.55", "status": "affected", "version": "9.3.12", "versionType": "semver"}, {"lessThanOrEqual": "10.0.23", "status": "affected", "version": "10.0.0", "versionType": "semver"}, {"lessThanOrEqual": "11.0.23", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"lessThanOrEqual": "12.0.8", "status": "affected", "version": "12.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "https://github.com/HRsGIT"}], "datePublic": "2024-10-14T03:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There exists a security vulnerability in Jetty's <code>ThreadLimitHandler.getRemote()</code> which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.<br>"}], "value": "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-10-14T15:30:02.698Z"}, "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"}, {"url": "https://github.com/jetty/jetty.project/pull/11723"}], "source": {"discovery": "UNKNOWN"}, "title": "Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Do not use <code>ThreadLimitHandler</code>.<br>\nConsider use of <code>QoSHandler</code> instead to artificially limit resource utilization.<br>"}], "value": "Do not use ThreadLimitHandler.\n\nConsider use of QoSHandler instead to artificially limit resource utilization."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:41:50.744158Z", "id": "CVE-2024-8184", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:42:01.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-15T17:41:50.744158Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:41:57.293Z"}}], "cna": {"title": "Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "https://github.com/HRsGIT"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "modules": ["jetty-server"], "product": "Jetty", "versions": [{"status": "affected", "version": "9.3.12", "versionType": "semver", "lessThanOrEqual": "9.4.55"}, {"status": "affected", "version": "10.0.0", "versionType": "semver", "lessThanOrEqual": "10.0.23"}, {"status": "affected", "version": "11.0.0", "versionType": "semver", "lessThanOrEqual": "11.0.23"}, {"status": "affected", "version": "12.0.0", "versionType": "semver", "lessThanOrEqual": "12.0.8"}], "packageName": "org.eclipse.jetty:jetty-server", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "datePublic": "2024-10-14T03:00:00.000Z", "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"}, {"url": "https://github.com/jetty/jetty.project/pull/11723"}], "workarounds": [{"lang": "en", "value": "Do not use ThreadLimitHandler.\n\nConsider use of QoSHandler instead to artificially limit resource utilization.", "supportingMedia": [{"type": "text/html", "value": "Do not use <code>ThreadLimitHandler</code>.<br>\nConsider use of <code>QoSHandler</code> instead to artificially limit resource utilization.<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", "supportingMedia": [{"type": "text/html", "value": "There exists a security vulnerability in Jetty's <code>ThreadLimitHandler.getRemote()</code> which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-10-14T15:30:02.698Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8184", "state": "PUBLISHED", "dateUpdated": "2024-10-15T17:42:01.168Z", "dateReserved": "2024-08-26T15:58:44.006Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2024-10-14T15:09:37.861Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "38EE28A7-83A2-4D16-A1D7-197C1680C234", "versionEndExcluding": "9.4.56", "versionStartIncluding": "9.3.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "40B124FE-E76C-4612-8781-42CF3182E264", "versionEndExcluding": "10.0.24", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "43B96569-B73B-4765-994F-809E5AE1A3CE", "versionEndExcluding": "11.0.24", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDCB79ED-6D2F-4A37-BB89-41EABF18EAC1", "versionEndExcluding": "12.0.9", "versionStartIncluding": "12.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory."}, {"lang": "es", "value": "Existe una vulnerabilidad de seguridad en ThreadLimitHandler.getRemote() de Jetty que puede ser explotada por usuarios no autorizados para provocar un ataque de denegaci\u00f3n de servicio (DoS) remoto. Al enviar repetidamente solicitudes manipuladas, los atacantes pueden generar errores OutofMemory y agotar la memoria del servidor."}], "id": "CVE-2024-8184", "lastModified": "2024-11-08T21:00:09.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2024-10-14T16:15:04.380", "references": [{"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/jetty/jetty.project/pull/11723"}, {"source": "emo@eclipse.org", "tags": ["Vendor Advisory"], "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"}, {"source": "emo@eclipse.org", "tags": ["Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9571", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "org.eclipse.jetty/jetty-server", "product_name": "Streams for Apache Kafka 2.8.0", "release_date": "2024-11-13T00:00:00Z"}], "bugzilla": {"description": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", "id": "2318564", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8184", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Will not fix", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-server", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-10-14T15:09:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8184\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8184\nhttps://github.com/jetty/jetty.project/pull/11723\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/30"], "statement": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", "threat_severity": "Moderate"}