vulnerability

Jenkins Advisory 2024-03-20: CVE-2024-22201: HTTP/2 denial of service vulnerability in bundled Jetty

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Feb 26, 2024	Mar 21, 2024	Aug 11, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Feb 26, 2024

Added

Mar 21, 2024

Modified

Aug 11, 2025

Description

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

Solutions

jenkins-lts-upgrade-2_440_2jenkins-upgrade-2_444

References

CVE-2024-22201
https://attackerkb.com/topics/CVE-2024-22201
CWE-400
CWE-770
URL-https://jenkins.io/security/advisory/2024-03-20/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today