CVE-2024-22201 Jetty connection leaking on idle timeout when TCP congested

2024-02-2616:13:33

CWE-400

GitHub_M

www.cve.org

jetty

http/2 ssl

tcp congestion

connection leakage

file descriptors

server vulnerability

patched versions

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

Percentile

15.5%

JSON

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

CNA Affected

[
  {
    "vendor": "jetty",
    "product": "jetty.project",
    "versions": [
      {
        "version": ">= 9.3.0, <= 9.4.53",
        "status": "affected"
      },
      {
        "version": ">= 10.0.0, <= 10.0.19",
        "status": "affected"
      },
      {
        "version": ">= 11.0.0, <= 11.0.19",
        "status": "affected"
      },
      {
        "version": ">= 12.0.0, <= 12.0.5",
        "status": "affected"
      }
    ]
  }
]