CVE
GHSA-r7m4-f9h5-gr79
Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks
Impact
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
Patches
- https://github.com/jetty/jetty.project/pull/9715
- https://github.com/jetty/jetty.project/pull/9716
Workarounds
The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:
+ not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
+ reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
+ configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.
References
- https://github.com/jetty/jetty.project/pull/10756
- https://github.com/jetty/jetty.project/pull/10755
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
-
C
H
U
-
Related Resources
No items found.
References
Basic Information
Ecosystem
