CVE-2024-13009

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request
body. This can result in corrupted and/or inadvertent sharing of data between requests.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
eclipseCNA
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
VendorProductVersion
eclipsejetty
9.4.0 ≤
𝑥
< 9.4.57
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jetty12
trixie (security)
12.0.17-3.1~deb13u1
fixed
trixie
12.0.17-3.1~deb13u1
fixed
forky
12.0.17-3.1
fixed
sid
12.0.17-3.1
fixed
jetty9
bullseye
vulnerable
bullseye (security)
9.4.57-0+deb11u3
fixed
bookworm
9.4.57-0+deb12u1
fixed
bookworm (security)
9.4.57-1.1~deb12u1
fixed
trixie (security)
9.4.57-1.1~deb13u1
fixed
trixie
9.4.57-1.1~deb13u1
fixed
forky
9.4.57-1.1
fixed
sid
9.4.57-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jetty9
questing
not-affected
plucky
needs-triage
oracular
ignored
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5
https://gitlab.eclipse.org/security/cve-assignement/-/issues/48