{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2024-9823",
"ASSIGNER": "security@eclipse.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption",
"cweId": "CWE-400"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Eclipse Foundation",
"product": {
"product_data": [
{
"product_name": "Jetty",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "9.0.0",
"version_value": "9.4.54"
},
{
"version_affected": "<",
"version_name": "10.0.0",
"version_value": "10.0.18"
},
{
"version_affected": "<",
"version_name": "11.0.0",
"version_value": "11.0.18"
}
]
}
}
]
}
},
{
"vendor_name": "Eclipse Jetty",
"product": {
"product_data": [
{
"product_name": "Jetty",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "12.0.0",
"version_value": "12.0.3"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h",
"refsource": "MISC",
"name": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39",
"refsource": "MISC",
"name": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
},
{
"url": "https://github.com/jetty/jetty.project/issues/1256",
"refsource": "MISC",
"name": "https://github.com/jetty/jetty.project/issues/1256"
}
]
},
"generator": {
"engine": "Vulnogram 0.2.0"
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.
\nSessions can also be configured to have aggressive passivation or inactivation limits.
"
}
],
"value": "The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.\n\nSessions can also be configured to have aggressive passivation or inactivation limits."
}
],
"credits": [
{
"lang": "en",
"value": "Lian Kee"
}
],
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
]
}
}