Lucene search

[email protected]CVE-2021-34428

HistoryJun 22, 2021 - 3:15 p.m.

CVE-2021-34428

2021-06-2215:15:16

CWE-613

[email protected]

web.nvd.nist.gov

155

In Wild

cve

2021

34428

eclipse jetty

vulnerability

session id

clustered sessions

3.6 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

3.5 Low

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

3.9 Low

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

JSON

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Affected configurations

NVD

Node

eclipsejettyRange≤9.4.40

eclipsejettyRange10.0.0–10.0.2

eclipsejettyRange11.0.0–11.0.2

Node

debiandebian_linuxMatch10.0

Node

netappactive_iq_unified_managerMatch-linux

netappactive_iq_unified_managerMatch-windows

netappe-series_santricity_os_controllerRange11.0–11.70.1

netappe-series_santricity_web_servicesMatch-web_services_proxy

netappelement_plug-in_for_vcenter_serverMatch-

netappsantricity_cloud_connectorMatch-

netappsnap_creator_frameworkMatch-

netappsnapmanagerMatch-sap

Node

oracleautovue_for_agile_product_lifecycle_managementMatch21.0.2

oraclecommunications_element_managerMatch8.2.2

oraclecommunications_services_gatekeeperMatch7.0

oraclecommunications_session_report_managerRange8.0.0.0–8.2.4.0

oraclecommunications_session_route_managerRange8.0.0–8.2.4.0

oraclerest_data_servicesRange<21.3-

oraclesiebel_core_-_automationRange≤21.9

CPENameOperatorVersion
eclipse:jettyeclipse jettyle9.4.40
eclipse:jettyeclipse jettyle10.0.2
eclipse:jettyeclipse jettyle11.0.2

CPE	Name	Operator	Version
eclipse:jetty	eclipse jetty	le	9.4.40
eclipse:jetty	eclipse jetty	le	10.0.2
eclipse:jetty	eclipse jetty	le	11.0.2

CNA Affected

[
  {
    "product": "Eclipse Jetty",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "9.4.40",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "10.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "10.0.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "11.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "11.0.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]