CVE-2024-22201

HIGH

Eclipse Jetty 9.3.0-9.4.53, 10.0.8-10.0.19, 12.0.0-12.0.5 - Denial of Service via HTTP/2 SSL Connection Leak

Title source: llm

Description

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

References (5)

Core 5

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/03/20/2

Mailing List

https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240329-0001/

Vendor Advisory x_refsource_confirm

https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98

Issue Tracking x_refsource_misc

https://github.com/jetty/jetty.project/issues/11256

Scores

CVSS v3 7.5

EPSS 0.0057

EPSS Percentile 69.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-770 CWE-400

Status published

Products (8)

debian/debian_linux 10.0

eclipse/jetty 9.3.0 - 9.4.54

netapp/active_iq_unified_manager (2 CPE variants)

netapp/bluexp

org.eclipse.jetty.http2/http2-common 9.3.0 - 9.4.54Maven

org.eclipse.jetty.http2/jetty-http2-common 12.0.0 - 12.0.6Maven

org.eclipse.jetty.http3/http3-common 10.0.8 - 10.0.20Maven

org.eclipse.jetty.http3/jetty-http3-common 12.0.0 - 12.0.6Maven

Published Feb 26, 2024

Tracked Since Feb 18, 2026