CVE-2024-22201

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-22201
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-22201.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-22201
Aliases
Related
Published
2024-02-26T16:27:56Z
Modified
2024-09-11T06:12:45.968083Z
Summary
[none]
Details

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

References

Affected packages

Debian:11 / jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.50-4+deb11u2

Affected versions

9.*

9.4.39-3
9.4.39-3+deb11u1
9.4.39-3+deb11u2
9.4.44-1
9.4.44-2
9.4.44-3
9.4.44-4
9.4.45-1
9.4.46-1
9.4.48-1
9.4.49-1
9.4.49-1.1
9.4.50-1~bpo11+1
9.4.50-1
9.4.50-2
9.4.50-3
9.4.50-4
9.4.50-4+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.50-4+deb12u3

Affected versions

9.*

9.4.50-4
9.4.50-4+deb12u1
9.4.50-4+deb12u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.54-1

Affected versions

9.*

9.4.50-4
9.4.51-1
9.4.51-2
9.4.52-1
9.4.53-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}