CVE-2024-6762

Jetty PushSessionCacheFilter can cause remote DoS attacks

Description

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Remediation

Workaround:

  • The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by: * not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead. * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory. * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html , so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

Categories

3.1
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.46%
Vendor Advisory github.com Vendor Advisory eclipse.org
Affected: Eclipse Foundation Jetty
Published at:
Updated at:

References

Link Tags
https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79 vendor advisory
https://gitlab.eclipse.org/security/cve-assignement/-/issues/24 vendor advisory issue tracking
https://github.com/jetty/jetty.project/pull/9715 patch
https://github.com/jetty/jetty.project/pull/9716 patch
https://github.com/jetty/jetty.project/pull/10756 patch
https://github.com/jetty/jetty.project/pull/10755 patch

Frequently Asked Questions

What is the severity of CVE-2024-6762?
CVE-2024-6762 has been scored as a low severity vulnerability.
How to fix CVE-2024-6762?
As a workaround for remediating CVE-2024-6762: The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by: * not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead. * reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory. * configuring a session cache to use session passivation https://jetty.org/docs/jetty/12/programming-guide/server/session.html , so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.
Is CVE-2024-6762 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-6762 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-6762?
CVE-2024-6762 affects Eclipse Foundation Jetty.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.