CVE-2024-22201

Name of the Vulnerable Software and Affected Versions Jetty versions prior to 9.4.54 Jetty versions prior to 10.0.20 Jetty versions prior to 11.0.20 Jetty versions prior to 12.0.6

Description The issue is related to an HTTP/2 SSL connection that is established and TCP congested, which will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted if the server does not read, causing a TCP congestion, but the issue is more severe for servers.

Recommendations For versions prior to 9.4.54, update to version 9.4.54 or later. For versions prior to 10.0.20, update to version 10.0.20 or later. For versions prior to 11.0.20, update to version 11.0.20 or later. For versions prior to 12.0.6, update to version 12.0.6 or later. As a temporary workaround, consider disabling HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. Note that HTTP/1.x is not affected.