CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
15.5%
jetty-http is vulnerable to Denial Of Service (DoS). The vulnerability is due to GOAWAY
frames failing to be written to the queue when there is TCP congestion within the server. An attacker can exploit idle timeout periods to leave HTTP/2 or 3 connections in the ESTABLISHED
state, even when they timed out, resulting in Denial of Service as the server runs out of available file descriptors.
www.openwall.com/lists/oss-security/2024/03/20/2
github.com/advisories/GHSA-rggv-cv7r-mw98
github.com/jetty/jetty.project/commit/0839a208cdc3fcfe25206a77af59ba9fda260188
github.com/jetty/jetty.project/commit/b953871c9a5ff4fbca4a2499848f75182dbd9810
github.com/jetty/jetty.project/issues/11256
github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98
lists.debian.org/debian-lts-announce/2024/04/msg00002.html
security.netapp.com/advisory/ntap-20240329-0001/