CVE-2024-8184: 
Java vulnerability analysis and mitigation

A security vulnerability exists in Jetty's ThreadLimitHandler.getRemote() function affecting multiple versions: Jetty 12.0.0-12.0.8, 11.0.0-11.0.23, 10.0.0-10.0.23, and 9.3.12-9.4.55. The vulnerability was discovered and disclosed in October 2024, impacting the org.eclipse.jetty:jetty-server package (Eclipse Advisory).

The vulnerability allows unauthorized users to exploit the ThreadLimitHandler.getRemote() function to cause denial-of-service (DoS) attacks. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while Eclipse Foundation assessed it at 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption) (NVD Database).

By repeatedly sending crafted requests, attackers can trigger OutOfMemory errors and exhaust the server's memory resources, leading to service disruption for legitimate users. The vulnerability primarily affects the availability of the system, with no direct impact on confidentiality or integrity (Eclipse Advisory).

The vulnerability has been patched in versions 12.0.9, 11.0.24, 10.0.24, and 9.4.56. For users unable to update immediately, the recommended workaround is to avoid using ThreadLimitHandler and consider using QoSHandler instead to artificially limit resource utilization (Eclipse Advisory).