5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8184

GHSA ID

GHSA-g8m5-722r-8whq

EPSS Score

0.4515%

CWE

CWE-400

Published

10/14/2024

Updated

11/8/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-8184

CVE-2024-8184: Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks

Impact

Remote DOS attack can cause out of memory

Description

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

Affected Versions

Jetty 12.0.0-12.0.8 (Supported)
Jetty 11.0.0-11.0.23 (EOL)
Jetty 10.0.0-10.0.23 (EOL)
Jetty 9.3.12-9.4.55 (EOL)

Patched Versions

Jetty 12.0.9
Jetty 11.0.24
Jetty 10.0.24
Jetty 9.4.56

Workarounds

Do not use ThreadLimitHandler.
Consider use of QoSHandler instead to artificially limit resource utilization.

References

Jetty 12 - https://github.com/jetty/jetty.project/pull/11723

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8184

GHSA ID

GHSA-g8m5-722r-8whq

EPSS Score

0.4515%

CWE

CWE-400

Published

10/14/2024

Updated

11/8/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty:jetty-server	maven	>= 12.0.0, <= 12.0.8	12.0.9
org.eclipse.jetty:jetty-server	maven	>= 10.0.0, <= 10.0.23	10.0.24
org.eclipse.jetty:jetty-server	maven	>= 11.0.0, <= 11.0.23	11.0.24
org.eclipse.jetty:jetty-server	maven	>= 9.3.12, <= 9.4.55	9.4.56

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly identifies ThreadLimitHandler.getRemote() as the vulnerable component. The CWE-400/770 classifications indicate uncontrolled resource consumption, consistent with the described OOM attack vector. The pull request #11723 modifying ThreadLimitHandler and the workaround recommendation to avoid it further corroborate this as the vulnerable entry point. The method's role in tracking connections likely creates unbounded memory allocation when handling malicious requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t R*mot* *OS *tt**k **n **us* out o* m*mory ### **s*ription T**r* *xists * s**urity vuln*r**ility in J*tty's `T*r***Limit**n*l*r.**tR*mot*()` w*i** **n ** *xploit** *y un*ut*oriz** us*rs to **us* r*mot* **ni*l-o*-s*rvi** (*oS) *tt**k. *y

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `T*r***Limit**n*l*r.**tR*mot*()` *s t** vuln*r**l* *ompon*nt. T** *W*-***/*** *l*ssi*i**tions in*i**t* un*ontroll** r*sour** *onsumption, *onsist*nt wit* t** **s*ri*** OOM *tt**k v**tor. T** pull

5.9

Basic Information

Concerned about an active attack path?

CVE-2024-8184: Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks

Impact

Description

Affected Versions

Patched Versions

Workarounds

References

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI