ID de Prueba:	1.3.6.1.4.1.25623.1.0.151836
Categoría:	Web Servers
Título:	Eclipse Jetty DoS Vulnerability (GHSA-rggv-cv7r-mw98) - Linux
Resumen:	Eclipse Jetty is prone to a denial of service (DoS); vulnerability.
Descripción:	Summary: Eclipse Jetty is prone to a denial of service (DoS) vulnerability. Vulnerability Insight: If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. Affected Software/OS: Eclipse Jetty version 9.3.0 through 9.4.53, 10.0.0 through 10.0.19, 11.0.0 through 11.0.19 and 12.0.0 through 12.0.5. Solution: Update to version 9.4.54, 10.0.20, 11.0.20, 12.0.6 or later. CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2024-22201 https://github.com/jetty/jetty.project/issues/11256 https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html http://www.openwall.com/lists/oss-security/2024/03/20/2
Copyright	Copyright (C) 2024 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.