CVE-2024-9823

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions prior to 9.4.54 Eclipse Jetty versions prior to 10.0.18 Eclipse Jetty versions prior to 11.0.18 Eclipse Jetty versions prior to 12.0.3

Description The vulnerability in Jetty's DosFilter can be exploited by unauthorized users to cause a remote denial-of-service (DoS) attack on the server. By repeatedly sending crafted requests, attackers can trigger OutOfMemory errors and exhaust the server's memory. The DoSFilter is designed to protect web applications against certain types of DoS attacks, but its internal tracking of requests is the source of this OutOfMemory condition. Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.

Recommendations For Eclipse Jetty versions prior to 9.4.54, update to version 9.4.54 or later. For Eclipse Jetty versions prior to 10.0.18, update to version 10.0.18 or later. For Eclipse Jetty versions prior to 11.0.18, update to version 11.0.18 or later. For Eclipse Jetty versions prior to 12.0.3, update to version 12.0.3 or later. As a temporary workaround, consider configuring session passivation or an aggressive session inactivation timeout to mitigate the risk of exploitation.