PT-2024-37856 · Jetty+2 · Jetty+2
Jerdfelt
+2
·
Published
2024-10-14
·
Updated
2025-07-01
·
CVE-2024-6762
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Jetty (affected versions not specified)
Description
The Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote Denial of Service (DoS) attacks by exhausting the server's memory. This issue allows attackers to remotely attack the server, potentially causing it to run out of memory.
Recommendations
To resolve the issue, consider the following workarounds:
- Avoid using the PushCacheFilter, as Push has been deprecated by the various IETF specs and early hints responses should be used instead.
- Reduce the idle timeout on unauthenticated sessions to reduce the time such sessions stay in memory.
- Configure a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
DoS
Resource Exhaustion
Improper Resource Release
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Jetty
Red Os