Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server’s memory.
"}],"value":"Jetty PushSessionCacheFilter can be exploited by unauthenticated users \nto launch remote DoS attacks by exhausting the server’s memory."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"CWE-400 Uncontrolled Resource Consumption","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","shortName":"eclipse","dateUpdated":"2024-10-14T15:07:10.942Z"},"references":[{"url":"https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79"},{"url":"https://gitlab.eclipse.org/security/cve-assignement/-/issues/24"},{"url":"https://github.com/jetty/jetty.project/pull/9715"},{"url":"https://github.com/jetty/jetty.project/pull/9716"},{"url":"https://github.com/jetty/jetty.project/pull/10756"},{"url":"https://github.com/jetty/jetty.project/pull/10755"}],"source":{"discovery":"UNKNOWN"},"title":"Jetty PushSessionCacheFilter can cause remote DoS attacks","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"
The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:
\n
\n
not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.
\n
reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
\n
configuring a session cache to use session passivation,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory.
\n
"}],"value":"The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:\n\n\n\n * not using the PushCacheFilter. Push has been deprecated by the \nvarious IETF specs and early hints responses should be used instead.\n\n * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.\n\n * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html ,\n so that sessions are not stored in memory, but rather in a database or \nfile system that may have significantly more capacity than memory."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-10-15T17:42:42.629742Z","id":"CVE-2024-6762","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-15T17:42:50.434Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:34:37.967Z"}}]}}