CVE-2024-7708
Received Received - Intake

Buffer Leak in Eclipse Jetty HTTP Server

Vulnerability report for CVE-2024-7708, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Eclipse Foundation

Description

For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak. This is particularly the case for 100-Continue, but any request where the network is slow can leak.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
eclipse jetty_server From 10.0.7 (inc) to 10.0.23 (exc)
eclipse jetty_server From 11.0.7 (inc) to 11.0.23 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2024-7708 is a memory leak vulnerability in Eclipse Jetty's HttpConnection class. It occurs when processing HTTP requests that include a body, but the body is read as 0 bytes due to specific conditions, such as slow network connections or 100-Continue responses. This failure to properly handle the request body results in a buffer leak, which can lead to uncontrolled resource consumption over time.

  • Affected versions: Jetty server versions between 10.0.7 and 10.0.23 (excluding 10.0.23) and between 11.0.7 and 11.0.23 (excluding 11.0.23).
  • Associated weaknesses: CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Improper Release of Memory After Effective Lifetime).
  • Severity: High (CVSS 3.1 BaseScore of 7.5), primarily impacting system availability.
Impact Analysis

This vulnerability can impact you in several ways if you are using an affected version of Eclipse Jetty:

  • Resource exhaustion: The memory leak can lead to uncontrolled consumption of system resources (e.g., memory), potentially causing the Jetty server to slow down or crash, resulting in denial-of-service (DoS) conditions.
  • Degraded performance: Over time, the accumulation of leaked buffers can degrade server performance, leading to slower response times or service interruptions for users.
  • Increased operational costs: If the server crashes or requires frequent restarts, it may lead to additional maintenance efforts and downtime, increasing operational overhead.
  • Security risks: While this vulnerability does not directly expose sensitive data or allow unauthorized access, the resulting DoS conditions could be exploited by attackers to disrupt services.
Compliance Impact

This vulnerability may indirectly affect compliance with common standards and regulations, depending on the context in which Eclipse Jetty is used:

  • GDPR (General Data Protection Regulation): While this vulnerability does not directly involve data exposure, prolonged service disruptions or downtime caused by resource exhaustion could impact the availability of systems processing personal data. GDPR requires organizations to ensure the availability and resilience of processing systems (Article 32), so repeated outages could raise compliance concerns.
  • HIPAA (Health Insurance Portability and Accountability Act): For organizations handling protected health information (PHI), this vulnerability could lead to service disruptions that affect the availability of critical healthcare systems. HIPAA's Security Rule (45 CFR Part 164, Subpart C) requires covered entities to ensure the confidentiality, integrity, and availability of electronic PHI. Downtime or degraded performance could violate these requirements.
  • Other standards (e.g., ISO 27001, NIST): Compliance frameworks like ISO 27001 and NIST emphasize the importance of maintaining system availability and managing risks related to resource exhaustion. This vulnerability could be seen as a failure to implement adequate controls for resource management, potentially leading to non-compliance if not addressed promptly.

To mitigate compliance risks, organizations should patch affected systems or apply recommended workarounds to prevent potential disruptions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-7708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart