Jetty HTTP/2 SSL connection leak vulnerability
CVE-2024-22201

7.5HIGH

Key Information:

Vendor: Jetty
Status: Jetty.project
Vendor: CVE Published:; 26 February 2024

What is CVE-2024-22201?

A vulnerability exists in Jetty, a popular Java-based web server and servlet engine, where an established HTTP/2 SSL connection can leak due to TCP congestion timeout. If an attacker exploits this vulnerability, they can force multiple connections into a leaked state, which may exhaust the server's file descriptors. This exhaustion can lead to a denial of service, preventing the server from accepting new connections from legitimate clients. The vulnerability has been addressed in several recent releases of Jetty, specifically in versions 9.4.54, 10.0.20, 11.0.20, and 12.0.6. Users are encouraged to upgrade to these patched versions to mitigate risks.

Affected Version(s)

jetty.project >= 9.3.0, <= 9.4.53 <= 9.3.0, 9.4.53

jetty.project >= 10.0.0, <= 10.0.19 <= 10.0.0, 10.0.19

jetty.project >= 11.0.0, <= 11.0.19 <= 11.0.0, 11.0.19

References

https://github.com/jetty/jetty.project/security/advisorie...

x_refsource_CONFIRM

https://github.com/jetty/jetty.project/issues/11256

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20240329-0001/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 26, 2024
Vulnerability Reserved
Jan 8, 2024