2365135 – (CVE-2024-13009) CVE-2024-13009 jetty-server: Jetty: Gzip Request Body Buffer Corruption

Bug 2365135 (CVE-2024-13009) - CVE-2024-13009 jetty-server: Jetty: Gzip Request Body Buffer Corruption

Summary: CVE-2024-13009 jetty-server: Jetty: Gzip Request Body Buffer Corruption

Keywords:
Status:	NEW
Alias:	CVE-2024-13009
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2366515 2366516 2366514
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-08 18:01 UTC by OSIDB Bzimport
Modified:	2025-12-03 11:54 UTC (History)
CC List:	94 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:12511	None	None	None	2025-08-01 17:43:21 UTC
Red Hat Product Errata	RHSA-2025:15643	None	None	None	2025-09-10 15:04:27 UTC
Red Hat Product Errata	RHSA-2025:9697	None	None	None	2025-06-25 19:47:53 UTC
Red Hat Product Errata	RHSA-2025:9922	None	None	None	2025-06-30 13:17:22 UTC

Description OSIDB Bzimport 2025-05-08 18:01:10 UTC

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request
body. This can result in corrupted and/or inadvertent sharing of data between requests.

Comment 2 errata-xmlrpc 2025-06-25 19:47:46 UTC

This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7

Via RHSA-2025:9697 https://access.redhat.com/errata/RHSA-2025:9697

Comment 3 errata-xmlrpc 2025-06-30 13:17:14 UTC

This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.1

Via RHSA-2025:9922 https://access.redhat.com/errata/RHSA-2025:9922

Comment 4 errata-xmlrpc 2025-08-01 17:43:14 UTC

This issue has been addressed in the following products:

  Streams for Apache Kafka 3.0.0

Via RHSA-2025:12511 https://access.redhat.com/errata/RHSA-2025:12511

Comment 6 errata-xmlrpc 2025-09-10 15:04:20 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2025:15643 https://access.redhat.com/errata/RHSA-2025:15643

Note You need to log in before you can comment on or make changes to this bug.

abrianik
anthomas
aprice
aschwart
asoldano
ataylor
bbaranow
bmaxwell
boliveir
brian.stansberry
caswilli
ccranfor
cdewolf
chfoley
cmiranda
crizzo
csutherl
darran.lofthouse
dbruscin
dfreiber
dhanak
dkreling
dnakabaa
dosoudil
drosa
drow
ehelms
eric.wittmann
fjuma
fmariani
ggainey
ggrzybek
gmalinko
ibek
istudens
ivassile
iweiss
janstey
jburrell
jclere
jpechane
jpoth
jrokos
jsamir
jscholz
juwatts
kaycoth
kgaikwad
kholdawa
kvanderr
kverlaen
lcouzens
lgao
mhulan
mnovotny
mosmerov
mposolda
mskarbek
msochure
msvehla
nipatil
nmoumoul
nwallace
oezr
osousa
pantinor
parichar
pcongius
pcreech
pdelbell
pesilva
pjindal
plodge
pmackay
porcelli
rchan
rguimara
rkieley
rkubis
rstancel
rstepani
sausingh
smaestri
smallamp
ssilvert
sthorger
swoodman
szappis
tasato
tcunning
tom.jenkinson
vkumar
vmuzikar
yfang