CVE-2024-13009 — jetty9 - security update

Description

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.

How to fix CVE-2024-13009

To remediate CVE-2024-13009, upgrade the affected package to a fixed version below.

Debian/jetty9—upgrade to 9.4.57-0+deb11u1 or later
—upgrade to 9.4.57-0+deb11u1 or later
—upgrade to 9.4.57-0+deb12u1 or later
—upgrade to 9.4.57.v20241219 or later

Is CVE-2024-13009 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 9.4.57-0+deb11u1
from 0, < 9.4.57-0+deb11u1
from 0, < 9.4.57-0+deb12u1
>= 9.4.0, < 9.4.57.v20241219

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-13009
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-13009
PATCHgithub.com/jetty/jetty.project
WEBgithub.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5