mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
147 lines
5.7 KiB
JSON
147 lines
5.7 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-9823",
|
|
"ASSIGNER": "security@eclipse.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-400 Uncontrolled Resource Consumption",
|
|
"cweId": "CWE-400"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Eclipse Foundation",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Jetty",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "9.0.0",
|
|
"version_value": "9.4.54"
|
|
},
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "10.0.0",
|
|
"version_value": "10.0.18"
|
|
},
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "11.0.0",
|
|
"version_value": "11.0.18"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"vendor_name": "Eclipse Jetty",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Jetty",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "12.0.0",
|
|
"version_value": "12.0.3"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h",
|
|
"refsource": "MISC",
|
|
"name": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
|
|
},
|
|
{
|
|
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39",
|
|
"refsource": "MISC",
|
|
"name": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
|
|
},
|
|
{
|
|
"url": "https://github.com/jetty/jetty.project/issues/1256",
|
|
"refsource": "MISC",
|
|
"name": "https://github.com/jetty/jetty.project/issues/1256"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.2.0"
|
|
},
|
|
"source": {
|
|
"discovery": "UNKNOWN"
|
|
},
|
|
"work_around": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "The <code>DoSFilter</code> can be configured to not use sessions for tracking usage by setting the <code>trackSessions</code> init parameter to <code>false</code>. This will then use only the IP tracking mechanism, which is not vulnerable.<br>\nSessions can also be configured to have aggressive passivation or inactivation limits.<br>"
|
|
}
|
|
],
|
|
"value": "The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false. This will then use only the IP tracking mechanism, which is not vulnerable.\n\nSessions can also be configured to have aggressive passivation or inactivation limits."
|
|
}
|
|
],
|
|
"credits": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Lian Kee"
|
|
}
|
|
],
|
|
"impact": {
|
|
"cvss": [
|
|
{
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "LOW",
|
|
"baseScore": 5.3,
|
|
"baseSeverity": "MEDIUM",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "NONE",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
|
|
"version": "3.1"
|
|
}
|
|
]
|
|
}
|
|
} |