GHSA-mwcx-532g-8pq3

Suggest an improvement
Source
https://github.com/advisories/GHSA-mwcx-532g-8pq3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-mwcx-532g-8pq3/GHSA-mwcx-532g-8pq3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mwcx-532g-8pq3
Aliases
  • CVE-2018-12538
Published
2018-10-16T17:44:11Z
Modified
2024-02-17T05:43:52.147542Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Access and integrity issue within Eclipse Jetty
Details

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-384",
        "CWE-6"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:47:31Z",
    "severity": "HIGH"
}
References

Affected packages

Maven / org.eclipse.jetty:jetty-server

Package

Name
org.eclipse.jetty:jetty-server
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.4.0
Fixed
9.4.11.v20180605

Affected versions

9.*
9.4.0.v20161208
9.4.0.v20180619
9.4.1.v20170120
9.4.1.v20180619
9.4.2.v20170220
9.4.2.v20180619
9.4.3.v20170317
9.4.3.v20180619
9.4.4.v20170414
9.4.4.v20180619
9.4.5.v20170502
9.4.5.v20180619
9.4.6.v20170531
9.4.6.v20180619
9.4.7.RC0
9.4.7.v20170914
9.4.7.v20180619
9.4.8.v20171121
9.4.8.v20180619
9.4.9.v20180320
9.4.10.RC0
9.4.10.RC1
9.4.10.v20180503

Database specific

last_known_affected_version_range 
"<= 9.4.10.v20180503"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-mwcx-532g-8pq3/GHSA-mwcx-532g-8pq3.json"