Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r7m4-f9h5-gr79: Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks

Impact

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Patches

  • https://github.com/jetty/jetty.project/pull/9715
  • https://github.com/jetty/jetty.project/pull/9716

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:

  • not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
  • reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
  • configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

References

  • https://github.com/jetty/jetty.project/pull/10756
  • https://github.com/jetty/jetty.project/pull/10755
ghsa
Open in Source
#vulnerability#web#git#java#auth#maven

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

    • Issues

      Plan and track work

    • Code Review

      Manage code changes

    • Discussions

      Collaborate outside of code

    • Code Search

      Find more, search less

  • Explore

    • Learning Pathways
    • White papers, Ebooks, Webinars
    • Customer Stories
    • Partners

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-6762

Eclipse Jetty’s PushSessionCacheFilter can cause remote DoS attacks

Low severity GitHub Reviewed Published Oct 14, 2024 in jetty/jetty.project • Updated Oct 14, 2024

Package

maven org.eclipse.jetty:jetty-servlets (Maven)

Affected versions

>= 10.0.0, <= 10.0.17

>= 11.0.0, <= 11.0.17

>= 12.0.0, <= 12.0.3

Patched versions

10.0.18

11.0.18

12.0.4

Description

Published to the GitHub Advisory Database

Oct 14, 2024

Last updated

Oct 14, 2024

ghsa: Latest News

GHSA-pf5v-pqfv-x8jj: OpenCanary Executes Commands From Potentially Writable Config File
ghsa