Test ID:	1.3.6.1.4.1.25623.1.0.151837
Category:	Web Servers
Title:	Eclipse Jetty DoS Vulnerability (GHSA-rggv-cv7r-mw98) - Windows
Summary:	Eclipse Jetty is prone to a denial of service (DoS); vulnerability.
Description:	Summary: Eclipse Jetty is prone to a denial of service (DoS) vulnerability. Vulnerability Insight: If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. Affected Software/OS: Eclipse Jetty version 9.3.0 through 9.4.53, 10.0.0 through 10.0.19, 11.0.0 through 11.0.19 and 12.0.0 through 12.0.5. Solution: Update to version 9.4.54, 10.0.20, 11.0.20, 12.0.6 or later. CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2024-22201 https://github.com/jetty/jetty.project/issues/11256 https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html http://www.openwall.com/lists/oss-security/2024/03/20/2
Copyright	Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.