Denial Of Service

2024-02-2710:15:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

jetty-http

denial of service

vulnerability

tcp congestion

http/2

http/3

established state

file descriptors

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

Percentile

15.5%

JSON

jetty-http is vulnerable to Denial Of Service (DoS). The vulnerability is due to GOAWAY frames failing to be written to the queue when there is TCP congestion within the server. An attacker can exploit idle timeout periods to leave HTTP/2 or 3 connections in the ESTABLISHED state, even when they timed out, resulting in Denial of Service as the server runs out of available file descriptors.