GHSA-r7m4-f9h5-gr79
GitHub Security Advisory
Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks
Advisory Details
### Impact
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.
### Patches
* https://github.com/jetty/jetty.project/pull/9715
* https://github.com/jetty/jetty.project/pull/9716
### Workarounds
The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:
+ not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
+ reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
+ configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.
### References
* https://github.com/jetty/jetty.project/pull/10756
* https://github.com/jetty/jetty.project/pull/10755
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.