- CVE ID
- CVE-2024-22201
- CVE Description
- Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
- Published
- Feb 28, 2024
- CVSS Score & Severity
7.5High
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- EPSS Score
- 0.559%
- KEV Status
Not in KEV Catalog: No known exploits
- Vulnerable Methods
org/eclipse/jetty/http2/HTTP2Session$StreamsState.onIdleTimeout()ZJVM
org/eclipse/jetty/http2/HTTP2Session.onIdleTimeout()ZJVM
org/eclipse/jetty/http3/HTTP3Session.onIdleTimeout()ZJVM
org/eclipse/jetty/http3/internal/HTTP3Session.onIdleTimeout()ZJVM
- Source
- National Vulnerability Database