Mageni Mageni Security LLC

Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Eclipse Jetty DoS Vulnerability (GHSA-m394-8rww-3jr7) - Linux

Information

Severity

Severity

High

Family

Family

Denial of Service

CVSSv2 Base

CVSSv2 Base

7.8

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Solution Type

Solution Type

Vendor Patch

Created

Created

3 years ago

Modified

Modified

3 years ago

Share

Summary

Eclipse Jetty is prone to a denial of service (DoS) vulnerability.

Insight

Insight

When Jetty handles a request containing request headers with a large number of 'quality' (i.e. q) parameters (such as what are seen on the Accept, Accept-Encoding, and Accept-Language request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. See the referenced vendor advisory for further information.

Affected Software

Affected Software

Eclipse Jetty versions 9.4.6.v20170531 - 9.4.36.v20210114, 10.0.0 and 11.0.0.

Detection Method

Detection Method

Checks if a vulnerable version is present on the target host.

Solution

Solution

Update to version 9.4.37.v20210219, 10.0.1, 11.0.1 or later.

Common Vulnerabilities and Exposures (CVE)

References