GHSA-r7m4-f9h5-gr79

Suggest an improvement
Source
https://github.com/advisories/GHSA-r7m4-f9h5-gr79
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-r7m4-f9h5-gr79/GHSA-r7m4-f9h5-gr79.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r7m4-f9h5-gr79
Aliases
Published
2024-10-14T21:07:29Z
Modified
2024-11-08T22:23:53.205440Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks
Details

Impact

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Patches

  • https://github.com/jetty/jetty.project/pull/9715
  • https://github.com/jetty/jetty.project/pull/9716

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by: + not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead. + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory. + configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

References

  • https://github.com/jetty/jetty.project/pull/10756
  • https://github.com/jetty/jetty.project/pull/10755
Database specific 
{
    "nvd_published_at": "2024-10-14T16:15:03Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-14T21:07:29Z"
}
References

Affected packages

Maven / org.eclipse.jetty:jetty-servlets

Package

Name
org.eclipse.jetty:jetty-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.18

Affected versions

10.*

10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
10.0.10
10.0.11
10.0.12
10.0.13
10.0.14
10.0.15
10.0.16
10.0.17

Database specific 

{
    "last_known_affected_version_range": "<= 10.0.17"
}

Maven / org.eclipse.jetty:jetty-servlets

Package

Name
org.eclipse.jetty:jetty-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.18

Affected versions

11.*

11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.0.9
11.0.10
11.0.11
11.0.12
11.0.13
11.0.14
11.0.15
11.0.16
11.0.17

Database specific 

{
    "last_known_affected_version_range": "<= 11.0.17"
}

Maven / org.eclipse.jetty:jetty-servlets

Package

Name
org.eclipse.jetty:jetty-servlets
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-servlets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.4

Database specific 

{
    "last_known_affected_version_range": "<= 12.0.3"
}