CVE-2024-22201 Affecting jetty9 package, versions <9.4.50-4+deb11u2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-JETTY9-6277735
- published 27 Feb 2024
- disclosed 26 Feb 2024
Introduced: 26 Feb 2024
CVE-2024-22201 Open this link in a new tabHow to fix?
Upgrade Debian:11 jetty9 to version 9.4.50-4+deb11u2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream jetty9 package and not the jetty9 package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
References
- https://security-tracker.debian.org/tracker/CVE-2024-22201
- https://github.com/jetty/jetty.project/issues/11256
- https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98
- https://security.netapp.com/advisory/ntap-20240329-0001/
- https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html
- http://www.openwall.com/lists/oss-security/2024/03/20/2