GHSA-j26w-f9rq-mr2q

Suggest an improvement
Source
https://github.com/advisories/GHSA-j26w-f9rq-mr2q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-j26w-f9rq-mr2q/GHSA-j26w-f9rq-mr2q.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j26w-f9rq-mr2q
Aliases
Published
2024-10-14T15:30:46Z
Modified
2024-10-18T17:57:06.050889Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Eclipse Jetty has a denial of service vulnerability on DosFilter
Details

Description There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.

Vulnerability details The Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server. The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds. The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.

Impact Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.

Patches The DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.

Patched releases:

  • 9.4.54
  • 10.0.18
  • 11.0.18
  • 12.0.3
Database specific
{
    "nvd_published_at": "2024-10-14T15:15:14Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-14T21:14:31Z"
}
References

Affected packages

Maven / org.eclipse.jetty.ee10:jetty-ee10-servlets

Package

Name
org.eclipse.jetty.ee10:jetty-ee10-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.3

Affected versions

12.*

12.0.0
12.0.1
12.0.2

Maven / org.eclipse.jetty.ee8:jetty-ee8-servlets

Package

Name
org.eclipse.jetty.ee8:jetty-ee8-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.3

Affected versions

12.*

12.0.0
12.0.1
12.0.2

Maven / org.eclipse.jetty.ee9:jetty-ee9-servlets

Package

Name
org.eclipse.jetty.ee9:jetty-ee9-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.3

Affected versions

12.*

12.0.0
12.0.1
12.0.2

Maven / org.eclipse.jetty:jetty-servlets

Package

Name
org.eclipse.jetty:jetty-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0
Fixed
9.4.54

Affected versions

9.*

9.0.0.v20130308
9.0.1.v20130408
9.0.2.v20130417
9.0.3.v20130506
9.0.4.v20130625
9.0.5.v20130815
9.0.6.v20130930
9.0.7.v20131107
9.1.0.M0
9.1.0.RC0
9.1.0.RC1
9.1.0.RC2
9.1.0.v20131115
9.1.1.v20140108
9.1.2.v20140210
9.1.3.v20140225
9.1.4.v20140401
9.1.5.v20140505
9.1.6.v20160112
9.2.0.M0
9.2.0.M1
9.2.0.RC0
9.2.0.v20140526
9.2.1.v20140609
9.2.2.v20140723
9.2.3.v20140905
9.2.4.v20141103
9.2.5.v20141112
9.2.6.v20141205
9.2.7.v20150116
9.2.8.v20150217
9.2.9.v20150224
9.2.10.v20150310
9.2.11.M0
9.2.11.v20150529
9.2.12.M0
9.2.12.v20150709
9.2.13.v20150730
9.2.14.v20151106
9.2.15.v20160210
9.2.16.v20160414
9.2.17.v20160517
9.2.18.v20160721
9.2.19.v20160908
9.2.20.v20161216
9.2.21.v20170120
9.2.22.v20170606
9.2.23.v20171218
9.2.24.v20180105
9.2.25.v20180606
9.2.26.v20180806
9.2.27.v20190403
9.2.28.v20190418
9.2.29.v20191105
9.2.30.v20200428
9.3.0.M0
9.3.0.M1
9.3.0.M2
9.3.0.RC0
9.3.0.RC1
9.3.0.v20150612
9.3.1.v20150714
9.3.2.v20150730
9.3.3.v20150827
9.3.4.RC0
9.3.4.RC1
9.3.4.v20151007
9.3.5.v20151012
9.3.6.v20151106
9.3.7.RC0
9.3.7.RC1
9.3.7.v20160115
9.3.8.RC0
9.3.8.v20160314
9.3.9.M0
9.3.9.M1
9.3.9.v20160517
9.3.10.M0
9.3.10.v20160621
9.3.11.M0
9.3.11.v20160721
9.3.12.v20160915
9.3.13.M0
9.3.13.v20161014
9.3.14.v20161028
9.3.15.v20161220
9.3.16.v20170120
9.3.17.RC0
9.3.17.v20170317
9.3.18.v20170406
9.3.19.v20170502
9.3.20.v20170531
9.3.21.M0
9.3.21.RC0
9.3.21.v20170918
9.3.22.v20171030
9.3.23.v20180228
9.3.24.v20180605
9.3.25.v20180904
9.3.26.v20190403
9.3.27.v20190418
9.3.28.v20191105
9.3.29.v20201019
9.3.30.v20211001
9.4.0.M0
9.4.0.M1
9.4.0.RC0
9.4.0.RC1
9.4.0.RC2
9.4.0.RC3
9.4.0.v20161208
9.4.0.v20180619
9.4.1.v20170120
9.4.1.v20180619
9.4.2.v20170220
9.4.2.v20180619
9.4.3.v20170317
9.4.3.v20180619
9.4.4.v20170414
9.4.4.v20180619
9.4.5.v20170502
9.4.5.v20180619
9.4.6.v20170531
9.4.6.v20180619
9.4.7.RC0
9.4.7.v20170914
9.4.7.v20180619
9.4.8.v20171121
9.4.8.v20180619
9.4.9.v20180320
9.4.10.RC0
9.4.10.RC1
9.4.10.v20180503
9.4.11.v20180605
9.4.12.RC0
9.4.12.RC1
9.4.12.RC2
9.4.12.v20180830
9.4.13.v20181111
9.4.14.v20181114
9.4.15.v20190215
9.4.16.v20190411
9.4.17.v20190418
9.4.18.v20190429
9.4.19.v20190610
9.4.20.v20190813
9.4.21.v20190926
9.4.22.v20191022
9.4.23.v20191118
9.4.24.v20191120
9.4.25.v20191220
9.4.26.v20200117
9.4.27.v20200227
9.4.28.v20200408
9.4.29.v20200521
9.4.30.v20200611
9.4.31.v20200723
9.4.32.v20200930
9.4.33.v20201020
9.4.34.v20201102
9.4.35.v20201120
9.4.36.v20210114
9.4.37.v20210219
9.4.38.v20210224
9.4.39.v20210325
9.4.40.v20210413
9.4.41.v20210516
9.4.42.v20210604
9.4.43.v20210629
9.4.44.v20210927
9.4.45.v20220203
9.4.46.v20220331
9.4.47.v20220610
9.4.48.v20220622
9.4.49.v20220914
9.4.50.v20221201
9.4.51.v20230217
9.4.52.v20230823
9.4.53.v20231009

Maven / org.eclipse.jetty:jetty-servlets

Package

Name
org.eclipse.jetty:jetty-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.18

Affected versions

10.*

10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
10.0.10
10.0.11
10.0.12
10.0.13
10.0.14
10.0.15
10.0.16
10.0.17

Maven / org.eclipse.jetty:jetty-servlets

Package

Name
org.eclipse.jetty:jetty-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.18

Affected versions

11.*

11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.0.9
11.0.10
11.0.11
11.0.12
11.0.13
11.0.14
11.0.15
11.0.16
11.0.17