LOW 3.1 Maven
Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks
GHSA-r7m4-f9h5-gr79 · CVE-2024-6762
Published · Modified
Description
Impact
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
Patches
Workarounds
The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:
- not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
- reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
- configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.
References
References
- WEB https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-6762
- WEB https://github.com/jetty/jetty.project/pull/10755
- WEB https://github.com/jetty/jetty.project/pull/10756
- WEB https://github.com/jetty/jetty.project/pull/9715
- WEB https://github.com/jetty/jetty.project/pull/9716
- PACKAGE https://github.com/jetty/jetty.project
- WEB https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
- WEB https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html
Ready to move
Start Securing
Free, no credit card | First findings in minutes