Astra Linux – Vulnerability in Jetty9

For Eclipse Jetty versions = 9.4.40, = 10.0.2, and = 11.0.2, if an exception is thrown from the SessionListenersessionDestroyed method, then the session ID is not invalidated in the session ID manager. In deployments with clustered sessions and multiple contexts, this can result in a session not...

The vulnerability of the SessionListener#sessionDestroyed() method in Eclipse Jetty’s servers allows a hacker to exploit their privileges.

The vulnerability of the SessionListenersessionDestroyed method in Eclipse Jetty-related containers is related to an incorrect session expiration time. Exploiting this vulnerability can allow attackers to increase their privileges...

Insecure Session ID

org.eclipse.jetty, jetty-server has Insecure Session ID. The vulnerability exists due the SessionListenersessionDestroyed not validating the session ID if an exception is thrown...

GHSA-M6CP-VXJX-65J6 SessionListener can prevent a session from being invalidated breaking logout

Impact If an exception is thrown from the SessionListenersessionDestroyed method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application us...