Miggo Logo

CVE-2024-8184: Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.4515%
Published
10/14/2024
Updated
11/8/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.eclipse.jetty:jetty-servermaven>= 12.0.0, <= 12.0.812.0.9
org.eclipse.jetty:jetty-servermaven>= 10.0.0, <= 10.0.2310.0.24
org.eclipse.jetty:jetty-servermaven>= 11.0.0, <= 11.0.2311.0.24
org.eclipse.jetty:jetty-servermaven>= 9.3.12, <= 9.4.559.4.56

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies ThreadLimitHandler.getRemote() as the vulnerable component. The CWE-400/770 classifications indicate uncontrolled resource consumption, consistent with the described OOM attack vector. The pull request #11723 modifying ThreadLimitHandler and the workaround recommendation to avoid it further corroborate this as the vulnerable entry point. The method's role in tracking connections likely creates unbounded memory allocation when handling malicious requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t R*mot* *OS *tt**k **n **us* out o* m*mory ### **s*ription T**r* *xists * s**urity vuln*r**ility in J*tty's `T*r***Limit**n*l*r.**tR*mot*()` w*i** **n ** *xploit** *y un*ut*oriz** us*rs to **us* r*mot* **ni*l-o*-s*rvi** (*oS) *tt**k. *y

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `T*r***Limit**n*l*r.**tR*mot*()` *s t** vuln*r**l* *ompon*nt. T** *W*-***/*** *l*ssi*i**tions in*i**t* un*ontroll** r*sour** *onsumption, *onsist*nt wit* t** **s*ri*** OOM *tt**k v**tor. T** pull