{"id":"CVE-2024-22201","summary":"Jetty connection leaking on idle timeout when TCP congested","details":"Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.","aliases":["GHSA-rggv-cv7r-mw98"],"modified":"2026-04-10T05:09:06.879625Z","published":"2024-02-26T16:13:33.848Z","related":["CGA-73h6-h78f-wx27","SUSE-SU-2024:0817-1","openSUSE-SU-2024:13724-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22201.json","cwe_ids":["CWE-400"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/03/20/2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22201.json"},{"type":"ADVISORY","url":"https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22201"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240329-0001/"},{"type":"REPORT","url":"https://github.com/jetty/jetty.project/issues/11256"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse/jetty.project","events":[{"introduced":"390f3200cce7f90f1f3ebc78013c1afea2f93db8"},{"fixed":"cef3fbd6d736a21e7d541a5db490381d95a2047d"},{"introduced":"b9645a17373e4e9b7f30b6c0a07defcea2cb660b"},{"fixed":"3a745c71c23682146f262b99f4ddc4c1bc41630c"},{"introduced":"432f896d7a4555fcc81f38108757ea0aca8788e6"},{"fixed":"922f8dc188f7011e60d0361de585fd4ac4d63064"},{"introduced":"28100e8da711e44c0722ed10bd413ae862497539"},{"fixed":"78ab6e6ba163f89cdd97f2ae0283fbb5e371cfaf"},{"introduced":"0"},{"last_affected":"b9645a17373e4e9b7f30b6c0a07defcea2cb660b"}],"database_specific":{"versions":[{"introduced":"9.3.0"},{"fixed":"9.4.54"},{"introduced":"10.0.0"},{"fixed":"10.0.20"},{"introduced":"11.0.0"},{"fixed":"11.0.20"},{"introduced":"12.0.0"},{"fixed":"12.0.6"},{"introduced":"0"},{"last_affected":"10.0"}]}}],"versions":["jetty-10.0.0","jetty-10.0.0.beta1","jetty-10.0.18","jetty-10.0.19","jetty-10.0.2","jetty-10.0.8","jetty-11.0.0-alpha0","jetty-11.0.0.beta1","jetty-11.0.0.beta2","jetty-11.0.18","jetty-11.0.19","jetty-11.0.2","jetty-11.0.8","jetty-11.0.9","jetty-12.0.0x","jetty-12.0.5","jetty-8.0.0.RC0","jetty-8.1.0.RC0","jetty-9.1.0.M0","jetty-9.1.0.RC0","jetty-9.1.0.RC1","jetty-9.1.0.RC2","jetty-9.1.0.v20131115","jetty-9.1.1.v20140108","jetty-9.1.2.v20140210","jetty-9.1.3.v20140225","jetty-9.1.4.v20140401","jetty-9.2.0.M0","jetty-9.2.0.M1","jetty-9.2.0.RC0","jetty-9.2.0.v20140523","jetty-9.2.0.v20140526","jetty-9.2.1.v20140609","jetty-9.4.10.v20180503","jetty-9.4.12.v20180830","jetty-9.4.13.v20181111","jetty-9.4.14.v20181114","jetty-9.4.15.v20190215","jetty-9.4.2.v20170220","jetty-9.4.26.v20200117","jetty-9.4.27.v20200227","jetty-9.4.28.v20200408","jetty-9.4.32.v20200930","jetty-9.4.36.v20210114","jetty-9.4.37.v20210219","jetty-9.4.39.v20210325","jetty-9.4.42.v20210604","jetty-9.4.6.v20170531"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22201.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"390f3200cce7f90f1f3ebc78013c1afea2f93db8"},{"last_affected":"27bde00a0b95a1d5bbee0eae7984f891d2d0f8c9"}],"database_specific":{"versions":[{"introduced":"9.3.0"},{"last_affected":"9.4.53"}]}},{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"b9645a17373e4e9b7f30b6c0a07defcea2cb660b"},{"last_affected":"8492d1c78f122bb30cce20aecfa07e7283facd47"}],"database_specific":{"versions":[{"introduced":"10.0.0"},{"last_affected":"10.0.19"}]}},{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"432f896d7a4555fcc81f38108757ea0aca8788e6"},{"last_affected":"f781e475c8fa9e9c8ce18b1eaa03110d510f905f"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"last_affected":"11.0.19"}]}},{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"28100e8da711e44c0722ed10bd413ae862497539"},{"last_affected":"3aed62e4959bb8c01f5975fe81e078e3ff626126"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"last_affected":"12.0.5"}]}}],"versions":["jetty-12.0.0x","jetty-12.0.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22201.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}