CVE-2018-12538

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-12538

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12538.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-12538

Aliases

GHSA-mwcx-532g-8pq3

Withdrawn

2024-05-15T05:31:21.993778Z

Published

2018-06-22T19:29:00Z

Modified

2023-11-29T06:27:08.884045Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

References

Affected packages

Git / github.com/eclipse/jetty.project

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/jetty.project
Events: Introduced

bf9d17540c7ae4c91be30c045a9485aa2030d3e5

Introduced

432f896d7a4555fcc81f38108757ea0aca8788e6

Type: GIT
Repo: https://github.com/jetty/jetty.project
Events: Introduced

bf9d17540c7ae4c91be30c045a9485aa2030d3e5

Introduced

432f896d7a4555fcc81f38108757ea0aca8788e6

Affected versions

jetty-10.*

jetty-10.0.0

jetty-10.0.1

jetty-10.0.13

jetty-10.0.15

jetty-10.0.16

jetty-10.0.17

jetty-10.0.18

jetty-10.0.2

jetty-10.0.4

jetty-10.0.5

jetty-10.0.6

jetty-10.0.7

jetty-10.0.8

jetty-11.*

jetty-11.0.0

jetty-11.0.1

jetty-11.0.13

jetty-11.0.15

jetty-11.0.16

jetty-11.0.17

jetty-11.0.18

jetty-11.0.2

jetty-11.0.4

jetty-11.0.5

jetty-11.0.6

jetty-11.0.7

jetty-11.0.8

jetty-11.0.9

jetty-12.*

jetty-12.0.0.alpha3

jetty-12.0.0.beta1

jetty-12.0.0.beta2x

jetty-12.0.0.beta3

jetty-12.0.0.beta3x

jetty-12.0.0x

jetty-12.0.1

jetty-12.0.2

jetty-12.0.3

jetty-9.*

jetty-9.4.36.v20210114

jetty-9.4.37.v20210219