{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-9823","assignerOrgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","state":"PUBLISHED","assignerShortName":"eclipse","dateReserved":"2024-10-10T15:56:32.744Z","datePublished":"2024-10-14T15:03:02.293Z","dateUpdated":"2025-11-03T19:35:02.369Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://repo.maven.apache.org/maven2/","defaultStatus":"unaffected","modules":["jetty-servlets"],"packageName":"org.eclipse.jetty:jetty-servlets","product":"Jetty","repo":"https://github.com/jetty/jetty.project","vendor":"Eclipse Foundation","versions":[{"lessThan":"9.4.54","status":"affected","version":"9.0.0","versionType":"semvar"},{"lessThan":"10.0.18","status":"affected","version":"10.0.0","versionType":"semvar"},{"lessThan":"11.0.18","status":"affected","version":"11.0.0","versionType":"semver"}]},{"collectionURL":"https://repo.maven.apache.org/maven2/","defaultStatus":"unaffected","modules":["jetty-ee8-servlets"],"packageName":"org.eclipse.jetty.ee8:jetty-ee8-servlets","product":"Jetty","repo":"https://github.com/jetty/jetty.project","vendor":"Eclipse Jetty","versions":[{"lessThan":"12.0.3","status":"affected","version":"12.0.0","versionType":"semvar"}]},{"collectionURL":"https://repo.maven.apache.org/maven2/","defaultStatus":"unaffected","modules":["jetty-ee9-servlets"],"packageName":"org.eclipse.jetty.ee8:jetty-ee9-servlets","product":"Jetty","repo":"https://github.com/jetty/jetty.project","vendor":"Eclipse Jetty","versions":[{"lessThan":"12.0.3","status":"affected","version":"12.0.0","versionType":"semver"}]},{"collectionURL":"https://repo.maven.apache.org/maven2/","defaultStatus":"unaffected","modules":["jetty-ee10-servlets"],"packageName":"org.eclipse.jetty.ee8:jetty-ee10-servlets","product":"Jetty","repo":"https://github.com/jetty/jetty.project","vendor":"Eclipse Jetty","versions":[{"lessThan":"12.0.3","status":"affected","version":"12.0.0","versionType":"semvar"}]}],"credits":[{"lang":"en","type":"finder","value":"Lian Kee"}],"datePublic":"2024-10-14T15:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.<br>"}],"value":"There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"CWE-400 Uncontrolled Resource Consumption","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","shortName":"eclipse","dateUpdated":"2024-10-14T15:29:14.390Z"},"references":[{"url":"https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"},{"url":"https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"},{"url":"https://github.com/jetty/jetty.project/issues/1256"}],"source":{"discovery":"UNKNOWN"},"title":"Jetty DOS vulnerability on DosFilter","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The <code>DoSFilter</code> can be configured to not use sessions for tracking usage by setting the <code>trackSessions</code> init parameter to <code>false</code>.  This will then use only the IP tracking mechanism, which is not vulnerable.<br>\nSessions can also be configured to have aggressive passivation or inactivation limits.<br>"}],"value":"The DoSFilter can be configured to not use sessions for tracking usage by setting the trackSessions init parameter to false.  This will then use only the IP tracking mechanism, which is not vulnerable.\n\nSessions can also be configured to have aggressive passivation or inactivation limits."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"eclipse","product":"jetty","cpes":["cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"9.0.0","status":"affected","lessThan":"9.4.54","versionType":"semver"},{"version":"10.0.0","status":"affected","lessThan":"10.0.18","versionType":"semver"},{"version":"11.0.0","status":"affected","lessThan":"11.0.18","versionType":"semver"},{"version":"12.0.0","status":"affected","lessThan":"12.0.3","versionType":"semver"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-10-15T17:46:11.062398Z","id":"CVE-2024-9823","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-15T17:49:38.804Z"}},{"title":"CVE Program Container","references":[{"url":"https://security.netapp.com/advisory/ntap-20250306-0006/"},{"url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:35:02.369Z"}}]}}