CVE-2024-8184: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
First published: Mon Oct 14 2024(Updated: )
### Impact Remote DOS attack can cause out of memory ### Description There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. ### Affected Versions * Jetty 12.0.0-12.0.8 (Supported) * Jetty 11.0.0-11.0.23 (EOL) * Jetty 10.0.0-10.0.23 (EOL) * Jetty 9.3.12-9.4.55 (EOL) ### Patched Versions * Jetty 12.0.9 * Jetty 11.0.24 * Jetty 10.0.24 * Jetty 9.4.56 ### Workarounds Do not use `ThreadLimitHandler`. Consider use of `QoSHandler` instead to artificially limit resource utilization. ### References Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
Credit: emo@eclipse.org emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.eclipse.jetty:jetty-server | >=9.3.12<=9.4.55 | 9.4.56 |
| maven/org.eclipse.jetty:jetty-server | >=11.0.0<=11.0.23 | 11.0.24 |
| maven/org.eclipse.jetty:jetty-server | >=10.0.0<=10.0.23 | 10.0.24 |
| maven/org.eclipse.jetty:jetty-server | >=12.0.0<=12.0.8 | 12.0.9 |
| Mortbay Jetty | >=9.3.12<9.4.56 | |
| Mortbay Jetty | >=10.0.0<10.0.24 | |
| Mortbay Jetty | >=11.0.0<11.0.24 | |
| Mortbay Jetty | >=12.0.0<12.0.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/30
- https://github.com/jetty/jetty.project/pull/11723
- https://nvd.nist.gov/vuln/detail/CVE-2024-8184
- https://github.com/advisories/GHSA-g8m5-722r-8whq (Advisory)
- https://access.redhat.com/errata/RHSA-2024:9571
- https://access.redhat.com/errata/RHSA-2024:11023
- https://access.redhat.com/errata/RHSA-2025:2416
- https://bugzilla.redhat.com/show_bug.cgi?id=2318564
Frequently Asked Questions
What is the severity of CVE-2024-8184?
CVE-2024-8184 is a critical vulnerability that enables a remote denial-of-service attack.
How do I fix CVE-2024-8184?
To fix CVE-2024-8184, upgrade to Jetty version 9.4.56, 10.0.24, 11.0.24, or 12.0.9.
Which versions of Jetty are affected by CVE-2024-8184?
CVE-2024-8184 affects Jetty versions from 9.3.12 through 9.4.55, 10.0.0 through 10.0.23, 11.0.0 through 11.0.23, and 12.0.0 through 12.0.8.
What type of attack does CVE-2024-8184 allow?
CVE-2024-8184 allows an attacker to conduct a remote denial-of-service (DoS) attack.
Who can exploit CVE-2024-8184?
CVE-2024-8184 can be exploited by unauthorized users sending crafted requests.
- agent/title
- agent/first-publish-date
- agent/type
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/remedy
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g8m5-722r-8whq
- alias/CVE-2024-8184
- agent/software-canonical-lookup
- agent/severity
- agent/description
- agent/event
- collector/github-advisory
- agent/references
- agent/trending
- agent/source
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/maven
- vendor/eclipse
- canonical/mortbay jetty
- version/mortbay jetty/9.3.12
- version/mortbay jetty/10.0.0
- version/mortbay jetty/11.0.0
- version/mortbay jetty/12.0.0