CVE-2024-13009 - Vulnerability Details

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Eclipse	Jetty
Redhat	Amq Streams Apache Camel Spring Boot

Configuration 1 [-]

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7
jetty-server	cpe:/a:redhat:apache_camel_spring_boot:4	RHSA-2025:9697	2025-06-25T00:00:00Z
Streams for Apache Kafka 2.9.1
jetty-server	cpe:/a:redhat:amq_streams:2.9::el9	RHSA-2025:9922	2025-06-30T00:00:00Z

References

Link	Providers
https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5
https://gitlab.eclipse.org/security/cve-assignement/-/issues/48
https://nvd.nist.gov/vuln/detail/CVE-2024-13009
https://www.cve.org/CVERecord?id=CVE-2024-13009

History

Thu, 31 Jul 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eclipse Eclipse jetty
CPEs		cpe:2.3:a:eclipse:jetty::::::::
Vendors & Products		Eclipse Eclipse jetty

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00039}`	epss `{'score': 0.00041}`

Tue, 01 Jul 2025 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat amq Streams
CPEs		cpe:/a:redhat:amq_streams:2.9::el9
Vendors & Products		Redhat amq Streams

Thu, 26 Jun 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat apache Camel Spring Boot
CPEs		cpe:/a:redhat:apache_camel_spring_boot:4
Vendors & Products		Redhat Redhat apache Camel Spring Boot

Fri, 16 May 2025 02:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-13009 https://www.cve.org/CVERecord?id=CVE-2024-13009
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 08 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 May 2025 17:45:00 +0000

Type	Values Removed	Values Added
Description		In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
Title		Eclipse Jetty GZIP buffer release
Weaknesses		CWE-404
References		https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5 https://gitlab.eclipse.org/security/cve-assignement/-/issues/48
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2025-05-08T17:29:31.380Z

Updated: 2025-05-08T18:56:39.446Z

Reserved: 2024-12-28T09:11:12.587Z

Link: CVE-2024-13009

Vulnrichment

Updated: 2025-05-08T18:55:42.205Z

NVD

Status : Analyzed

Published: 2025-05-08T18:15:41.640

Modified: 2025-07-31T16:31:12.697

Link: CVE-2024-13009

Redhat

Severity : Important

Publid Date: 2025-05-08T17:29:31Z

Links: CVE-2024-13009 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-13009", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-12-28T09:11:12.587Z", "datePublished": "2025-05-08T17:29:31.380Z", "dateUpdated": "2025-05-08T18:56:39.446Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Jetty", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "9.4.56", "status": "affected", "version": "9.4.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."}], "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-05-08T17:29:31.380Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"}, {"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned"], "title": "Eclipse Jetty GZIP buffer release", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T18:55:32.278977Z", "id": "CVE-2024-13009", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T18:56:39.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-13009", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T18:55:32.278977Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T18:55:42.205Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Eclipse Jetty GZIP buffer release", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eclipse Foundation", "product": "Jetty", "versions": [{"status": "affected", "version": "9.4.0", "versionType": "semver", "lessThanOrEqual": "9.4.56"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"}, {"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests.", "supportingMedia": [{"type": "text/html", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-05-08T17:29:31.380Z"}}}, "cveMetadata": {"cveId": "CVE-2024-13009", "state": "PUBLISHED", "dateUpdated": "2025-05-08T18:56:39.446Z", "dateReserved": "2024-12-28T09:11:12.587Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2025-05-08T17:29:31.380Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E84B2A3-9032-487F-96D2-6E7F94D761B1", "versionEndExcluding": "9.4.57", "versionStartIncluding": "9.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "emo@eclipse.org", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."}, {"lang": "es", "value": "En las versiones 9.4.0 a 9.4.56 de Eclipse Jetty, un b\u00fafer puede liberarse incorrectamente al detectar un error de gzip al inflar el cuerpo de una solicitud. Esto puede provocar que se compartan datos corruptos o inadvertidos entre solicitudes."}], "id": "CVE-2024-13009", "lastModified": "2025-07-31T16:31:12.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2025-05-08T18:15:41.640", "references": [{"source": "emo@eclipse.org", "tags": ["Vendor Advisory"], "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"}, {"source": "emo@eclipse.org", "tags": ["Issue Tracking"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:9697", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4", "impact": "moderate", "package": "jetty-server", "product_name": "Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9922", "cpe": "cpe:/a:redhat:amq_streams:2.9::el9", "package": "jetty-server", "product_name": "Streams for Apache Kafka 2.9.1", "release_date": "2025-06-30T00:00:00Z"}], "bugzilla": {"description": "jetty-server: Jetty: Gzip Request Body Buffer Corruption", "id": "2365135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365135"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-404", "details": ["In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests.", "A flaw was found in Eclipse Jetty. This vulnerability allows corrupted and inadvertent data sharing between requests via a gzip error when inflating a request body. If the request body is malformed, the gzip decompression process can fail, resulting in the application inadvertently using data from a previous request when processing the current one."], "name": "CVE-2024-13009", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "maven-wagon", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "jmc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "jetty-server", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:offline_knowledge_portal:1", "fix_state": "Not affected", "package_name": "offline-knowledge-portal/rhokp-rhel9", "product_name": "Red Hat Offline Knowledge Portal"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:el8/puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/puppetserver", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "jetty-server", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "jetty-server", "product_name": "streams for Apache Kafka"}], "public_date": "2025-05-08T17:29:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-13009\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-13009\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/48"], "statement": "This vulnerability is rated as an IMPORTANT severity because a buffer management vulnerability exists within the GzipHandler's buffer release mechanism when encountering gzip errors during request body inflation, this flaw can lead to the incorrect release and subsequent inadvertent sharing and corruption of request body data between concurrent uncompressed requests, results in data exposure and incorrect processing of requests due to corrupted input.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object