CVE-2024-13009

CWE-4049 documents7 sources
Severity
7.2HIGH
EPSS
0.6%
top 31.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Eclipse JettyEclipse Foundation Jetty
Timeline
PublishedMay 8
Latest updateJan 15

Description

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages4 packages

NVDeclipse/jetty9.4.09.4.57
Mavenorg.eclipse.jetty:jetty-server9.4.09.4.57.v20241219
CVEListV5eclipse_foundation/jetty9.4.09.4.56
Debianjetty9< 9.4.57-0+deb11u1+3

🔴Vulnerability Details

4
OSV
**UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request2025-05-08
OSV
CVE-2024-13009: In Eclipse Jetty versions 92025-05-08
CVEList
Eclipse Jetty GZIP buffer release2025-05-08
GHSA
**UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request2025-05-08

📋Vendor Advisories

4
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Gateway (Eclipse Jetty) — CVE-2024-130092026-01-15
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 IOT Orchestrator Security (Eclipse Jetty) — CVE-2024-130092025-10-15
Red Hat
jetty-server: Jetty: Gzip Request Body Buffer Corruption2025-05-08
Debian
CVE-2024-13009: jetty12 - In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released w...2024