{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-13009", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-12-28T09:11:12.587Z", "datePublished": "2025-05-08T17:29:31.380Z", "dateUpdated": "2025-05-08T18:56:39.446Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Jetty", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "9.4.56", "status": "affected", "version": "9.4.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."}], "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-05-08T17:29:31.380Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"}, {"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned"], "title": "Eclipse Jetty GZIP buffer release", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T18:55:32.278977Z", "id": "CVE-2024-13009", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T18:56:39.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-13009", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T18:55:32.278977Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T18:55:42.205Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Eclipse Jetty GZIP buffer release", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eclipse Foundation", "product": "Jetty", "versions": [{"status": "affected", "version": "9.4.0", "versionType": "semver", "lessThanOrEqual": "9.4.56"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"}, {"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests.", "supportingMedia": [{"type": "text/html", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-05-08T17:29:31.380Z"}}}, "cveMetadata": {"cveId": "CVE-2024-13009", "state": "PUBLISHED", "dateUpdated": "2025-05-08T18:56:39.446Z", "dateReserved": "2024-12-28T09:11:12.587Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2025-05-08T17:29:31.380Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "emo@eclipse.org", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."}, {"lang": "es", "value": "En las versiones 9.4.0 a 9.4.56 de Eclipse Jetty, un b\u00fafer puede liberarse incorrectamente al detectar un error de gzip al inflar el cuerpo de una solicitud. Esto puede provocar que se compartan datos corruptos o inadvertidos entre solicitudes."}], "id": "CVE-2024-13009", "lastModified": "2025-05-12T17:32:52.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2025-05-08T18:15:41.640", "references": [{"source": "emo@eclipse.org", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"}, {"source": "emo@eclipse.org", "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:9697", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4", "impact": "moderate", "package": "jetty-server", "product_name": "Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9922", "cpe": "cpe:/a:redhat:amq_streams:2.9::el9", "package": "jetty-server", "product_name": "Streams for Apache Kafka 2.9.1", "release_date": "2025-06-30T00:00:00Z"}], "bugzilla": {"description": "jetty-server: Jetty: Gzip Request Body Buffer Corruption", "id": "2365135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365135"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-404", "details": ["In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests.", "A flaw was found in Eclipse Jetty. This vulnerability allows corrupted and inadvertent data sharing between requests via a gzip error when inflating a request body. If the request body is malformed, the gzip decompression process can fail, resulting in the application inadvertently using data from a previous request when processing the current one."], "name": "CVE-2024-13009", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "maven-wagon", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "jmc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:offline_knowledge_portal:1", "fix_state": "Not affected", "package_name": "offline-knowledge-portal/rhokp-rhel9", "product_name": "Red Hat Offline Knowledge Portal"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:el8/puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "streams for Apache Kafka"}], "public_date": "2025-05-08T17:29:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-13009\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-13009\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/48"], "statement": "This vulnerability is rated as an IMPORTANT severity because a buffer management vulnerability exists within the GzipHandler's buffer release mechanism when encountering gzip errors during request body inflation, this flaw can lead to the incorrect release and subsequent inadvertent sharing and corruption of request body data between concurrent uncompressed requests, results in data exposure and incorrect processing of requests due to corrupted input.", "threat_severity": "Important"}