3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-6762

GHSA ID

GHSA-r7m4-f9h5-gr79

EPSS Score

0.83365%

CWE

CWE-400

Published

10/14/2024

Updated

11/8/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-6762

CVE-2024-6762: Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks

Impact

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Patches

https://github.com/jetty/jetty.project/pull/9715
https://github.com/jetty/jetty.project/pull/9716

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:

not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

References

https://github.com/jetty/jetty.project/pull/10756
https://github.com/jetty/jetty.project/pull/10755

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-6762

CVE-2024-6762:

3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-6762

GHSA ID

GHSA-r7m4-f9h5-gr79

EPSS Score

0.83365%

CWE

CWE-400

Published

10/14/2024

Updated

11/8/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty:jetty-servlets	maven	>= 10.0.0, <= 10.0.17	10.0.18
org.eclipse.jetty:jetty-servlets	maven	>= 11.0.0, <= 11.0.17	11.0.18
org.eclipse.jetty:jetty-servlets	maven	>= 12.0.0, <= 12.0.3	12.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems directly from the PushSessionCacheFilter's session management implementation. Multiple sources confirm this filter was deprecated in patches (PR #9715, #9716) due to its role in memory exhaustion attacks. The CWE-400/CWE-770 alignment indicates uncontrolled resource consumption from session caching. The filter's presence in vulnerable versions (<=10.0.17, <=11.0.17, <=12.0.3) and removal in patched versions confirms its role as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-6762: Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks

Impact

Patches

Workarounds

References

CVE-2024-6762:

3.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-6762: Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks

Impact

Patches

Workarounds

References

3.1

3.1

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI