CVE-2024-6762 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Jetty web server maintained by the Eclipse Foundation. Specifically, the flaw exists in the PushSessionCacheFilter component, which manages HTTP/2 server push sessions. An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests that cause the server to allocate excessive memory resources without proper limits or cleanup. This leads to memory exhaustion, resulting in denial-of-service (DoS) conditions where legitimate users cannot access the service. The vulnerability affects Jetty versions 10.0.0, 11.0.0, and 12.0.0. The CVSS v3.1 base score is 3.1, indicating low severity, with the vector AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L. This means the attack is network-based, requires low privileges but high complexity, no user interaction, and impacts only availability. No confidentiality or integrity impact is noted. No known exploits have been reported in the wild, and no patches are currently available, though the vulnerability was published on October 14, 2024. The vulnerability could be leveraged by attackers to disrupt services hosted on Jetty servers, especially those exposing HTTP/2 endpoints with PushSessionCacheFilter enabled. This could affect web applications, APIs, and microservices relying on Jetty for HTTP/2 server push capabilities.

For European organizations, the primary impact of CVE-2024-6762 is the potential for denial-of-service attacks that exhaust server memory, causing service outages or degraded performance. This can disrupt business operations, customer access, and critical online services, particularly for organizations relying on Jetty for web hosting or API delivery. While the vulnerability does not compromise data confidentiality or integrity, availability disruptions can lead to financial losses, reputational damage, and compliance issues under regulations like GDPR if service continuity is affected. Sectors such as finance, government, healthcare, and telecommunications, which often deploy Java-based web servers including Jetty, may be particularly vulnerable. The low CVSS score reflects the high attack complexity and limited impact scope, but the unauthenticated nature of the attack vector means attackers do not need credentials, increasing the risk in exposed environments. The absence of known exploits reduces immediate risk but does not eliminate the threat of future exploitation.

European organizations should implement the following specific mitigations: 1) Monitor Jetty server memory usage and HTTP/2 session metrics closely to detect abnormal resource consumption patterns indicative of exploitation attempts. 2) Restrict network access to Jetty servers, especially limiting exposure of HTTP/2 endpoints with PushSessionCacheFilter enabled to trusted networks or VPNs. 3) Apply rate limiting and connection throttling to reduce the impact of potential DoS attempts targeting session cache resources. 4) Disable or reconfigure the PushSessionCacheFilter if it is not essential for application functionality to reduce the attack surface. 5) Stay alert for official patches or updates from the Eclipse Foundation and plan timely deployment once available. 6) Employ Web Application Firewalls (WAFs) or DoS protection services capable of detecting and mitigating abnormal request patterns targeting Jetty servers. 7) Conduct security reviews of Java web infrastructure to identify and remediate other potential resource exhaustion vectors. These steps go beyond generic advice by focusing on Jetty-specific configurations and proactive monitoring tailored to this vulnerability.