{ "threat_severity" : "Moderate", "public_date" : "2024-10-14T15:09:37Z", "bugzilla" : { "description" : "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", "id" : "2318564", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2318564" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory." ], "statement" : "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", "affected_release" : [ { "product_name" : "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", "release_date" : "2024-12-12T00:00:00Z", "advisory" : "RHSA-2024:11023", "cpe" : "cpe:/a:redhat:rhboac_hawtio:4.0.0", "package" : "org.eclipse.jetty/jetty-server" }, { "product_name" : "Streams for Apache Kafka 2.8.0", "release_date" : "2024-11-13T00:00:00Z", "advisory" : "RHSA-2024:9571", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "org.eclipse.jetty/jetty-server" }, { "product_name" : "Streams for Apache Kafka 2.9.0", "release_date" : "2025-03-05T00:00:00Z", "advisory" : "RHSA-2025:2416", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "org.eclipse.jetty/jetty-server" } ], "package_state" : [ { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Fix deferred", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Will not fix", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "org.eclipse.jetty/jetty-server", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-8184\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8184\nhttps://github.com/jetty/jetty.project/pull/11723\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/30" ], "name" : "CVE-2024-8184", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }