{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9823", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-10-10T15:56:32.744Z", "datePublished": "2024-10-14T15:03:02.293Z", "dateUpdated": "2024-10-15T17:49:38.804Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "modules": ["jetty-servlets"], "packageName": "org.eclipse.jetty:jetty-servlets", "product": "Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "versions": [{"lessThan": "9.4.54", "status": "affected", "version": "9.0.0", "versionType": "semvar"}, {"lessThan": "10.0.18", "status": "affected", "version": "10.0.0", "versionType": "semvar"}, {"lessThan": "11.0.18", "status": "affected", "version": "11.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "modules": ["jetty-ee8-servlets"], "packageName": "org.eclipse.jetty.ee8:jetty-ee8-servlets", "product": "Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "versions": [{"lessThan": "12.0.3", "status": "affected", "version": "12.0.0", "versionType": "semvar"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "modules": ["jetty-ee9-servlets"], "packageName": "org.eclipse.jetty.ee8:jetty-ee9-servlets", "product": "Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "versions": [{"lessThan": "12.0.3", "status": "affected", "version": "12.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "modules": ["jetty-ee10-servlets"], "packageName": "org.eclipse.jetty.ee8:jetty-ee10-servlets", "product": "Jetty", "repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "versions": [{"lessThan": "12.0.3", "status": "affected", "version": "12.0.0", "versionType": "semvar"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Lian Kee"}], "datePublic": "2024-10-14T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.<br>"}], "value": "There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-10-14T15:29:14.390Z"}, "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"}, {"url": "https://github.com/jetty/jetty.project/issues/1256"}], "source": {"discovery": "UNKNOWN"}, "title": "Jetty DOS vulnerability on DosFilter", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The <code>DoSFilter</code> can be configured to not use sessions for tracking usage by setting the <code>trackSessions</code> init parameter to <code>false</code>. This will then use only the IP tracking mechanism, which is not vulnerable.<br>\nSessions can also be configured to have aggressive passivation or inactivation limits.<br>"}], "value": "The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.\n\nSessions can also be configured to have aggressive passivation or inactivation limits."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "eclipse", "product": "jetty", "cpes": ["cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "9.0.0", "status": "affected", "lessThan": "9.4.54", "versionType": "semver"}, {"version": "10.0.0", "status": "affected", "lessThan": "10.0.18", "versionType": "semver"}, {"version": "11.0.0", "status": "affected", "lessThan": "11.0.18", "versionType": "semver"}, {"version": "12.0.0", "status": "affected", "lessThan": "12.0.3", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:46:11.062398Z", "id": "CVE-2024-9823", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:49:38.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9823", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-15T17:46:11.062398Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"], "vendor": "eclipse", "product": "jetty", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.4.54", "versionType": "semver"}, {"status": "affected", "version": "10.0.0", "lessThan": "10.0.18", "versionType": "semver"}, {"status": "affected", "version": "11.0.0", "lessThan": "11.0.18", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:49:30.657Z"}}], "cna": {"title": "Jetty DOS vulnerability on DosFilter", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Lian Kee"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Foundation", "modules": ["jetty-servlets"], "product": "Jetty", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.4.54", "versionType": "semvar"}, {"status": "affected", "version": "10.0.0", "lessThan": "10.0.18", "versionType": "semvar"}, {"status": "affected", "version": "11.0.0", "lessThan": "11.0.18", "versionType": "semver"}], "packageName": "org.eclipse.jetty:jetty-servlets", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}, {"repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "modules": ["jetty-ee8-servlets"], "product": "Jetty", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.3", "versionType": "semvar"}], "packageName": "org.eclipse.jetty.ee8:jetty-ee8-servlets", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}, {"repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "modules": ["jetty-ee9-servlets"], "product": "Jetty", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.3", "versionType": "semver"}], "packageName": "org.eclipse.jetty.ee8:jetty-ee9-servlets", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}, {"repo": "https://github.com/jetty/jetty.project", "vendor": "Eclipse Jetty", "modules": ["jetty-ee10-servlets"], "product": "Jetty", "versions": [{"status": "affected", "version": "12.0.0", "lessThan": "12.0.3", "versionType": "semvar"}], "packageName": "org.eclipse.jetty.ee8:jetty-ee10-servlets", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "datePublic": "2024-10-14T15:00:00.000Z", "references": [{"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"}, {"url": "https://github.com/jetty/jetty.project/issues/1256"}], "workarounds": [{"lang": "en", "value": "The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.\n\nSessions can also be configured to have aggressive passivation or inactivation limits.", "supportingMedia": [{"type": "text/html", "value": "The <code>DoSFilter</code> can be configured to not use sessions for tracking usage by setting the <code>trackSessions</code> init parameter to <code>false</code>. This will then use only the IP tracking mechanism, which is not vulnerable.<br>\nSessions can also be configured to have aggressive passivation or inactivation limits.<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.", "supportingMedia": [{"type": "text/html", "value": "There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-10-14T15:29:14.390Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9823", "state": "PUBLISHED", "dateUpdated": "2024-10-15T17:49:38.804Z", "dateReserved": "2024-10-10T15:56:32.744Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2024-10-14T15:03:02.293Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally."}, {"lang": "es", "value": "Existe una vulnerabilidad de seguridad en el DosFilter de Jetty que puede ser explotada por usuarios no autorizados para provocar un ataque de denegaci\u00f3n de servicio (DoS) remoto en el servidor mediante el DosFilter. Al enviar repetidamente solicitudes manipuladas, los atacantes pueden generar errores OutofMemory y agotar la memoria del servidor."}], "id": "CVE-2024-9823", "lastModified": "2024-10-15T12:57:46.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2024-10-14T15:15:14.560", "references": [{"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/issues/1256"}, {"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"}, {"source": "emo@eclipse.org", "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9571", "cpe": "cpe:/a:redhat:amq_streams:2", "package": "org.eclipse.jetty/jetty-servlets", "product_name": "Streams for Apache Kafka 2.8.0", "release_date": "2024-11-13T00:00:00Z"}], "bugzilla": {"description": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter", "id": "2318565", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.", "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-9823", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Will not fix", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "org.eclipse.jetty/jetty-servlets", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-10-14T15:03:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9823\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9823\nhttps://github.com/jetty/jetty.project/issues/1256\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/39"], "threat_severity": "Moderate"}