CVE-2024-22201 — HIGH (7.5)

Q: How severe is CVE-2024-22201?

CVE-2024-22201 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-22201?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Bluexp.

Vulnerability Description

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Eclipse	Jetty	>= 9.3.0, < 9.4.54
Debian	Debian Linux	10.0
Netapp	Active Iq Unified Manager	-
Netapp	Bluexp	-

Related Weaknesses (CWE)

CWE-770 CWE-400

References

http://www.openwall.com/lists/oss-security/2024/03/20/2Mailing ListThird Party Advisory
https://github.com/jetty/jetty.project/issues/11256Issue Tracking
https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00002.htmlMailing List
https://security.netapp.com/advisory/ntap-20240329-0001/Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/20/2Mailing ListThird Party Advisory
https://github.com/jetty/jetty.project/issues/11256Issue Tracking
https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00002.htmlMailing List
https://security.netapp.com/advisory/ntap-20240329-0001/Third Party Advisory

FAQ

What is CVE-2024-22201?

CVE-2024-22201 is a vulnerability with a CVSS score of 7.5 (HIGH). Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up i...

How severe is CVE-2024-22201?

CVE-2024-22201 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-22201?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Bluexp.