Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
Typedeb
Namespacedebian
Namejetty9
Version9.4.57-1.1~deb12u1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-1ejr-3tea-kydr
vulnerability_id VCID-1ejr-3tea-kydr
summary 
Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks
### Impact
 Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

### Patches
* https://github.com/jetty/jetty.project/pull/9715
* https://github.com/jetty/jetty.project/pull/9716

### Workarounds
The session usage is intrinsic to the design of the PushCacheFilter.  The issue can be avoided by:
 + not using the PushCacheFilter.  Push has been deprecated by the various IETF specs and early hints responses should be used instead.
 + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
 + configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

### References
* https://github.com/jetty/jetty.project/pull/10756
* https://github.com/jetty/jetty.project/pull/10755
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6762.json
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6762.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-6762
reference_id
reference_type
scores
0
value 0.00563
scoring_system epss
scoring_elements 0.68453
published_at 2026-04-26T12:55:00Z
1
value 0.00563
scoring_system epss
scoring_elements 0.68448
published_at 2026-04-24T12:55:00Z
2
value 0.00563
scoring_system epss
scoring_elements 0.684
published_at 2026-04-21T12:55:00Z
3
value 0.00563
scoring_system epss
scoring_elements 0.68423
published_at 2026-04-18T12:55:00Z
4
value 0.00563
scoring_system epss
scoring_elements 0.68409
published_at 2026-04-16T12:55:00Z
5
value 0.00563
scoring_system epss
scoring_elements 0.68404
published_at 2026-04-12T12:55:00Z
6
value 0.00563
scoring_system epss
scoring_elements 0.68371
published_at 2026-04-13T12:55:00Z
7
value 0.00563
scoring_system epss
scoring_elements 0.68416
published_at 2026-04-11T12:55:00Z
8
value 0.00563
scoring_system epss
scoring_elements 0.68389
published_at 2026-04-09T12:55:00Z
9
value 0.00563
scoring_system epss
scoring_elements 0.68372
published_at 2026-04-08T12:55:00Z
10
value 0.00563
scoring_system epss
scoring_elements 0.68321
published_at 2026-04-07T12:55:00Z
11
value 0.00563
scoring_system epss
scoring_elements 0.68345
published_at 2026-04-04T12:55:00Z
12
value 0.00563
scoring_system epss
scoring_elements 0.68325
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-6762
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6762
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6762
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
5
reference_url https://github.com/jetty/jetty.project/pull/10755
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/10755
6
reference_url https://github.com/jetty/jetty.project/pull/10756
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/10756
7
reference_url https://github.com/jetty/jetty.project/pull/9715
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/9715
8
reference_url https://github.com/jetty/jetty.project/pull/9716
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/pull/9716
9
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
10
reference_url https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:42:42Z/
url https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
11
reference_url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-6762
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-6762
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085697
reference_id 1085697
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085697
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2318562
reference_id 2318562
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2318562
15
reference_url https://github.com/advisories/GHSA-r7m4-f9h5-gr79
reference_id GHSA-r7m4-f9h5-gr79
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r7m4-f9h5-gr79
fixed_packages
0
url pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
purl pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
aliases CVE-2024-6762, GHSA-r7m4-f9h5-gr79
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1ejr-3tea-kydr
1
url VCID-gdcf-9axf-1yaq
vulnerability_id VCID-gdcf-9axf-1yaq
summary 
Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability
## Technical Details 
Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.”

### MadeYouReset Vulnerability Summary
The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.

### Mechanism
The vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame). 
The vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are:
1. WINDOW_UPDATE frame with an increment of 0 or an increment that makes the window exceed 2^31 - 1. (section 6.9 + 6.9.1)
2. HEADERS or DATA frames sent on a half-closed (remote) stream (which was closed using the END_STREAM flag). (note that for some implementations it's possible a CONTINUATION frame to trigger that as well - but it's very rare). (Section 5.1)
3. PRIORITY frame with a length other than 5. (section 6.3)
From our experience, the primitives are likely to exist in the decreasing order listed above.
Note that based on the implementation of the library, other primitives (which are not defined by the RFC) might exist - meaning scenarios in which RST_STREAM is not supposed to be sent, but in the implementation it does. On the other hand - some RFC-defined primitives might not work, even though they are defined by the RFC (as some implementations are not fully complying with RFC). For example, some implementations we’ve seen discard the PRIORITY frame - and thus does not return RST_STREAM, and some implementations send GO_AWAY when receiving a WINDOW_UPDATE frame with increment of 0.

The vulnerability takes advantage of a design flaw in the HTTP/2 protocol - While HTTP/2 has a limit on the number of concurrently active streams per connection (which is usually 100, and is set by the parameter SETTINGS_MAX_CONCURRENT_STREAMS), the number of active streams is not counted correctly - when a stream is reset, it is immediately considered not active, and thus unaccounted for in the active streams counter. 
While the protocol does not count those streams as active, the server’s backend logic still processes and handles the requests that were canceled.

Thus, the attacker can exploit this vulnerability to cause the server to handle an unbounded number of concurrent streams from a client on the same connection. The exploitation is very simple: the client issues a request in a stream, and then sends the control frame that causes the server to send a RST_STREAM.

### Attack Flow
For example, a possible attack scenario can be: 
1. Attacker opens an HTTP/2 connection to the server.
2. Attacker sends HEADERS frame with END_STREAM flag on a new stream X.  
3. Attacker sends WINDOW_UPDATE for stream X with flow-control window of 0.
4. The server receives the WINDOW_UPDATE and immediately sends RST_STREAM for stream X to the client (+ decreases the active streams counter by 1).

The attacker can repeat steps 2+3 as rapidly as it is capable, since the active streams counter never exceeds 1 and the attacker does not need to wait for the response from the server.
This leads to resource exhaustion and distributed denial of service vulnerabilities with an impact of: CPU overload and/or memory exhaustion (implementation dependant)

### Comparison to Rapid Reset
The vulnerability takes advantage of a design flow in the HTTP/2 protocol that was also used in the Rapid Reset vulnerability (CVE-2023-44487) which was exploited as a zero-day in the wild in August 2023 to October 2023, against multiple services and vendors.
The Rapid Reset vulnerability uses RST_STREAM frames sent from the client, in order to create an unbounded amount of concurrent streams - it was given a CVSS score of 7.5.
Rapid Reset was mostly mitigated by limiting the number/rate of RST_STREAM sent from the client, which does not mitigate the MadeYouReset attack - since it triggers the server to send a RST_STREAM.

### Suggested Mitigations for MadeYouReset
A quick and easy mitigation will be to limit the number/rate of RST_STREAMs sent from the server.
It is also possible to limit the number/rate of control frames sent by the client (e.g. WINDOW_UPDATE and PRIORITY), and treat protocol flow errors as a connection error.

As mentioned in our previous message, this is a protocol-level vulnerability that affects multiple vendors and implementations. Given its broad impact, it is the shared responsibility of all parties involved to handle the disclosure process carefully and coordinate mitigations effectively.


If you have any questions, we will be happy to clarify or schedule a Zoom call.

Gal, Anat and Yaniv.



## Jetty's Team Notes

### Impact
A denial of service vulnerability similar to [Rapid Reset](https://github.com/jetty/jetty.project/security/advisories/GHSA-c745-7wm4-7738), but where the client triggers a reset from the server by sending a malformed or invalid frame.
In particular, this may be triggered by WINDOW_UPDATE frames that are invalid (e.g. with `delta==0` or when the delta makes the window exceed `2^31-1`).

### Patches
Patch has been merged into 12.0.x mainline via https://github.com/jetty/jetty.project/pull/13449.

### Workarounds
No workarounds apart disabling HTTP/2.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5115.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5115.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-5115
reference_id
reference_type
scores
0
value 0.00125
scoring_system epss
scoring_elements 0.31521
published_at 2026-04-24T12:55:00Z
1
value 0.00125
scoring_system epss
scoring_elements 0.31693
published_at 2026-04-21T12:55:00Z
2
value 0.00125
scoring_system epss
scoring_elements 0.31724
published_at 2026-04-18T12:55:00Z
3
value 0.00125
scoring_system epss
scoring_elements 0.31747
published_at 2026-04-16T12:55:00Z
4
value 0.00125
scoring_system epss
scoring_elements 0.31715
published_at 2026-04-13T12:55:00Z
5
value 0.00125
scoring_system epss
scoring_elements 0.3175
published_at 2026-04-12T12:55:00Z
6
value 0.00125
scoring_system epss
scoring_elements 0.3179
published_at 2026-04-11T12:55:00Z
7
value 0.00125
scoring_system epss
scoring_elements 0.31757
published_at 2026-04-08T12:55:00Z
8
value 0.00125
scoring_system epss
scoring_elements 0.31706
published_at 2026-04-07T12:55:00Z
9
value 0.00125
scoring_system epss
scoring_elements 0.31887
published_at 2026-04-04T12:55:00Z
10
value 0.00125
scoring_system epss
scoring_elements 0.31843
published_at 2026-04-02T12:55:00Z
11
value 0.00125
scoring_system epss
scoring_elements 0.31787
published_at 2026-04-09T12:55:00Z
12
value 0.00137
scoring_system epss
scoring_elements 0.33277
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-5115
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5115
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5115
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
5
reference_url https://github.com/jetty/jetty.project/commit/f9ee3904788b08203ed62c95a560d951da37bdb1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project/commit/f9ee3904788b08203ed62c95a560d951da37bdb1
6
reference_url https://github.com/jetty/jetty.project/pull/13449
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-20T19:28:04Z/
url https://github.com/jetty/jetty.project/pull/13449
7
reference_url https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-20T19:28:04Z/
url https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26
8
reference_url https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-20T19:28:04Z/
url https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26
9
reference_url https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-20T19:28:04Z/
url https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25
10
reference_url https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-20T19:28:04Z/
url https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0
11
reference_url https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-20T19:28:04Z/
url https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814
12
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-20T19:28:04Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
13
reference_url https://lists.debian.org/debian-lts-announce/2025/09/msg00014.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/09/msg00014.html
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-5115
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-5115
15
reference_url https://www.kb.cert.org/vuls/id/767506
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.kb.cert.org/vuls/id/767506
16
reference_url http://www.openwall.com/lists/oss-security/2025/08/20/4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/20/4
17
reference_url http://www.openwall.com/lists/oss-security/2025/09/17/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/09/17/1
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111765
reference_id 1111765
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111765
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111766
reference_id 1111766
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111766
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2373310
reference_id 2373310
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2373310
21
reference_url https://github.com/advisories/GHSA-mmxm-8w33-wc4h
reference_id GHSA-mmxm-8w33-wc4h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mmxm-8w33-wc4h
22
reference_url https://access.redhat.com/errata/RHSA-2025:14911
reference_id RHSA-2025:14911
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:14911
23
reference_url https://access.redhat.com/errata/RHSA-2025:16454
reference_id RHSA-2025:16454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16454
24
reference_url https://access.redhat.com/errata/RHSA-2025:16455
reference_id RHSA-2025:16455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16455
25
reference_url https://access.redhat.com/errata/RHSA-2025:16456
reference_id RHSA-2025:16456
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16456
26
reference_url https://access.redhat.com/errata/RHSA-2025:16457
reference_id RHSA-2025:16457
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16457
27
reference_url https://access.redhat.com/errata/RHSA-2025:16459
reference_id RHSA-2025:16459
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16459
28
reference_url https://access.redhat.com/errata/RHSA-2025:16460
reference_id RHSA-2025:16460
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16460
29
reference_url https://access.redhat.com/errata/RHSA-2025:16461
reference_id RHSA-2025:16461
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16461
30
reference_url https://access.redhat.com/errata/RHSA-2025:16462
reference_id RHSA-2025:16462
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16462
31
reference_url https://access.redhat.com/errata/RHSA-2025:16989
reference_id RHSA-2025:16989
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:16989
32
reference_url https://access.redhat.com/errata/RHSA-2025:17567
reference_id RHSA-2025:17567
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17567
fixed_packages
0
url pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
purl pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
aliases CVE-2025-5115, GHSA-mmxm-8w33-wc4h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gdcf-9axf-1yaq
2
url VCID-gq93-ctd4-aqbp
vulnerability_id VCID-gq93-ctd4-aqbp
summary 
Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
### Impact
Remote DOS attack can cause out of memory 

### Description
There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which
can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By
repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
server's memory.

### Affected Versions

* Jetty 12.0.0-12.0.8 (Supported)
* Jetty 11.0.0-11.0.23 (EOL)
* Jetty 10.0.0-10.0.23 (EOL)
* Jetty 9.3.12-9.4.55 (EOL)

### Patched Versions

* Jetty 12.0.9
* Jetty 11.0.24
* Jetty 10.0.24
* Jetty 9.4.56

### Workarounds

Do not use `ThreadLimitHandler`.  
Consider use of `QoSHandler` instead to artificially limit resource utilization.

### References

Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8184.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8184.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-8184
reference_id
reference_type
scores
0
value 0.011
scoring_system epss
scoring_elements 0.78106
published_at 2026-04-26T12:55:00Z
1
value 0.011
scoring_system epss
scoring_elements 0.78099
published_at 2026-04-24T12:55:00Z
2
value 0.011
scoring_system epss
scoring_elements 0.78065
published_at 2026-04-21T12:55:00Z
3
value 0.01487
scoring_system epss
scoring_elements 0.81043
published_at 2026-04-12T12:55:00Z
4
value 0.01487
scoring_system epss
scoring_elements 0.80982
published_at 2026-04-02T12:55:00Z
5
value 0.01487
scoring_system epss
scoring_elements 0.81056
published_at 2026-04-11T12:55:00Z
6
value 0.01487
scoring_system epss
scoring_elements 0.81039
published_at 2026-04-09T12:55:00Z
7
value 0.01487
scoring_system epss
scoring_elements 0.81033
published_at 2026-04-08T12:55:00Z
8
value 0.01487
scoring_system epss
scoring_elements 0.81006
published_at 2026-04-04T12:55:00Z
9
value 0.01487
scoring_system epss
scoring_elements 0.81004
published_at 2026-04-07T12:55:00Z
10
value 0.01487
scoring_system epss
scoring_elements 0.81074
published_at 2026-04-18T12:55:00Z
11
value 0.01487
scoring_system epss
scoring_elements 0.81073
published_at 2026-04-16T12:55:00Z
12
value 0.01487
scoring_system epss
scoring_elements 0.81036
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-8184
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8184
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8184
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
5
reference_url https://github.com/jetty/jetty.project/pull/11723
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:41:50Z/
url https://github.com/jetty/jetty.project/pull/11723
6
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:41:50Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq
7
reference_url https://gitlab.eclipse.org/security/cve-assignement/-/issues/30
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:41:50Z/
url https://gitlab.eclipse.org/security/cve-assignement/-/issues/30
8
reference_url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-8184
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-8184
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2318564
reference_id 2318564
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2318564
11
reference_url https://github.com/advisories/GHSA-g8m5-722r-8whq
reference_id GHSA-g8m5-722r-8whq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g8m5-722r-8whq
fixed_packages
0
url pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
purl pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
aliases CVE-2024-8184, GHSA-g8m5-722r-8whq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gq93-ctd4-aqbp
3
url VCID-kx4x-gnk4-yugu
vulnerability_id VCID-kx4x-gnk4-yugu
summary 
**UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-13009.json
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-13009.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-13009
reference_id
reference_type
scores
0
value 0.00425
scoring_system epss
scoring_elements 0.62281
published_at 2026-04-24T12:55:00Z
1
value 0.00554
scoring_system epss
scoring_elements 0.68143
published_at 2026-04-26T12:55:00Z
2
value 0.00554
scoring_system epss
scoring_elements 0.68021
published_at 2026-04-02T12:55:00Z
3
value 0.00554
scoring_system epss
scoring_elements 0.6804
published_at 2026-04-04T12:55:00Z
4
value 0.00554
scoring_system epss
scoring_elements 0.68017
published_at 2026-04-07T12:55:00Z
5
value 0.00554
scoring_system epss
scoring_elements 0.68069
published_at 2026-04-08T12:55:00Z
6
value 0.00554
scoring_system epss
scoring_elements 0.68083
published_at 2026-04-09T12:55:00Z
7
value 0.00554
scoring_system epss
scoring_elements 0.68107
published_at 2026-04-11T12:55:00Z
8
value 0.00554
scoring_system epss
scoring_elements 0.68093
published_at 2026-04-12T12:55:00Z
9
value 0.00554
scoring_system epss
scoring_elements 0.6806
published_at 2026-04-13T12:55:00Z
10
value 0.00554
scoring_system epss
scoring_elements 0.68097
published_at 2026-04-16T12:55:00Z
11
value 0.00554
scoring_system epss
scoring_elements 0.68109
published_at 2026-04-18T12:55:00Z
12
value 0.00554
scoring_system epss
scoring_elements 0.68091
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-13009
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13009
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13009
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
5
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T18:55:32Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5
6
reference_url https://gitlab.eclipse.org/security/cve-assignement/-/issues/48
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T18:55:32Z/
url https://gitlab.eclipse.org/security/cve-assignement/-/issues/48
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-13009
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-13009
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2365135
reference_id 2365135
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2365135
9
reference_url https://github.com/advisories/GHSA-q4rv-gq96-w7c5
reference_id GHSA-q4rv-gq96-w7c5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q4rv-gq96-w7c5
10
reference_url https://access.redhat.com/errata/RHSA-2025:15643
reference_id RHSA-2025:15643
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:15643
11
reference_url https://access.redhat.com/errata/RHSA-2025:9697
reference_id RHSA-2025:9697
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:9697
fixed_packages
0
url pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
purl pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
aliases CVE-2024-13009, GHSA-q4rv-gq96-w7c5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kx4x-gnk4-yugu
4
url VCID-memq-11qz-9qem
vulnerability_id VCID-memq-11qz-9qem
summary 
Eclipse Jetty has a denial of service vulnerability on DosFilter
Description
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.


Vulnerability details
The Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server.  The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds.  The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.


Impact
Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.


Patches
The DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.


Patched releases:

  *  9.4.54
  *  10.0.18
  *  11.0.18
  *  12.0.3
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9823.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-9823.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-9823
reference_id
reference_type
scores
0
value 0.0068
scoring_system epss
scoring_elements 0.71659
published_at 2026-04-26T12:55:00Z
1
value 0.0068
scoring_system epss
scoring_elements 0.71654
published_at 2026-04-24T12:55:00Z
2
value 0.0068
scoring_system epss
scoring_elements 0.71604
published_at 2026-04-21T12:55:00Z
3
value 0.0068
scoring_system epss
scoring_elements 0.71543
published_at 2026-04-02T12:55:00Z
4
value 0.0068
scoring_system epss
scoring_elements 0.71618
published_at 2026-04-16T12:55:00Z
5
value 0.0068
scoring_system epss
scoring_elements 0.71592
published_at 2026-04-12T12:55:00Z
6
value 0.0068
scoring_system epss
scoring_elements 0.71608
published_at 2026-04-11T12:55:00Z
7
value 0.0068
scoring_system epss
scoring_elements 0.71585
published_at 2026-04-09T12:55:00Z
8
value 0.0068
scoring_system epss
scoring_elements 0.71574
published_at 2026-04-13T12:55:00Z
9
value 0.0068
scoring_system epss
scoring_elements 0.71534
published_at 2026-04-07T12:55:00Z
10
value 0.0068
scoring_system epss
scoring_elements 0.71561
published_at 2026-04-04T12:55:00Z
11
value 0.0068
scoring_system epss
scoring_elements 0.71623
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-9823
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9823
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9823
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/jetty/jetty.project
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/jetty/jetty.project
5
reference_url https://github.com/jetty/jetty.project/issues/1256
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:46:11Z/
url https://github.com/jetty/jetty.project/issues/1256
6
reference_url https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:46:11Z/
url https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
7
reference_url https://gitlab.eclipse.org/security/cve-assignement/-/issues/39
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:46:11Z/
url https://gitlab.eclipse.org/security/cve-assignement/-/issues/39
8
reference_url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-9823
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-9823
10
reference_url https://security.netapp.com/advisory/ntap-20250306-0006
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250306-0006
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2318565
reference_id 2318565
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2318565
12
reference_url https://github.com/advisories/GHSA-j26w-f9rq-mr2q
reference_id GHSA-j26w-f9rq-mr2q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j26w-f9rq-mr2q
fixed_packages
0
url pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
purl pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1
aliases CVE-2024-9823, GHSA-j26w-f9rq-mr2q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-memq-11qz-9qem
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/jetty9@9.4.57-1.1~deb12u1