In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.

The 13.5 and 24.1 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Agent Next Gen (Apache Commons Lang)). Supported versions that are affected are 13.5 and 24.1.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in     unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Manager Base     Platform. (CVE-2025-48924)

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Gateway (Eclipse Jetty)). The supported version that is affected is 24.1. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise     Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may     significantly impact additional products (scope change). Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform     accessible data as well as unauthorized read access to a subset of Oracle Enterprise Manager Base Platform     accessible data.  Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle     Enterprise Manager (component: Oracle Enterprise Manager Base Platform - Agent Next Gen (Eclipse Jetty)).
    Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base     Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly     impact additional products (scope change). Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible     data as well as unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible     data. (CVE-2024-13009)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:15643 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security Fix(es):

    * Jetty: Gzip Request Body Buffer Corruption (CVE-2024-13009)

    Users of Red Hat Satellite are advised to upgrade to these updated     packages, which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip     error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data     between requests. (CVE-2024-13009)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0390 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2024-13009:
    In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip     error when inflating a request     body. This can result in corrupted and/or inadvertent sharing of data between requests.

    CVE-2024-22201:
    Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

    CVE-2023-36478:
    Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to     exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size     limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is     true, the multiplication by 4 in line 295     will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on     line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK     header value sizes to be negative, potentially leading to a very large buffer allocation later on when the     user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more     precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length     value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to     be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The     issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

    CVE-2022-2048:
    In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error     handling has a bug that can wind up not properly cleaning up the active connections and associated     resources. This can lead to a Denial of Service scenario where there are no enough resources left to     process good requests.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:01738-1 advisory.

    Upgrade to version 9.4.57.v20241219

    - CVE-2024-6763: the HttpURI class does insufficient validation on the authority segment of a URI     (bsc#1231652)
    - CVE-2024-13009: Gzip Request Body Buffer (bsc#1243271)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
297820	Oracle Enterprise Manager Cloud Control (January 2026 CPU)	Nessus	Misc.	high
264489	RHEL 8 : Satellite 6.15.5.4 Async Update (Important) (RHSA-2025:15643)	Nessus	Red Hat Local Security Checks	high
244161	Linux Distros Unpatched Vulnerability : CVE-2024-13009	Nessus	Misc.	high
241484	TencentOS Server 4: jetty (TSSA-2025:0390)	Nessus	Tencent Local Security Checks	high
237536	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2025:01738-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2024-13009

high

Tenable Plugins

high

high

high

high

medium