CVE-2024-6762: 
Java vulnerability analysis and mitigation

CVE-2024-6762 affects Eclipse Jetty's PushSessionCacheFilter component, which can be exploited by unauthenticated users to launch remote Denial of Service (DoS) attacks by exhausting the server's memory. The vulnerability affects Jetty versions 10.0.0 through 10.0.17, 11.0.0 through 11.0.17, and 12.0.0 through 12.0.3. This issue was disclosed on October 14, 2024 (NVD, GitHub Advisory).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption). It has received a CVSS v3.1 base score of 6.5 (MEDIUM) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while the Eclipse Foundation assigned it a score of 3.1 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

When exploited, this vulnerability allows attackers to cause a Denial of Service condition by exhausting the server's memory resources. The attack can be performed remotely by unauthenticated users, potentially making the server unavailable for legitimate users (GitHub Advisory).

The issue has been patched in Jetty versions 10.0.18, 11.0.18, and 12.0.4. For users unable to upgrade, several workarounds are available: avoid using the PushCacheFilter as Push has been deprecated in favor of early hints responses, reduce the idle timeout on unauthenticated sessions, or configure session passivation to store sessions in a database or file system rather than memory (GitHub Advisory).