CVE-2024-8184 — Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks

Description

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

How to fix CVE-2024-8184

To remediate CVE-2024-8184, upgrade the affected package to a fixed version below.

—upgrade to 9.4.57-0+deb11u1 or later
—upgrade to 12.0.9 or later

Is CVE-2024-8184 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 9.4.57-0+deb11u1
>= 12.0.0, < 12.0.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-8184
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-8184
PATCHgithub.com/jetty/jetty.project
WEBgithub.com/jetty/jetty.project/pull/11723
WEB