GHSA-mwcx-532g-8pq3

Source

https://github.com/advisories/GHSA-mwcx-532g-8pq3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-mwcx-532g-8pq3/GHSA-mwcx-532g-8pq3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mwcx-532g-8pq3

Aliases

CVE-2018-12538

Published

2018-10-16T17:44:11Z

Modified

2024-02-17T05:43:52.147542Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Access and integrity issue within Eclipse Jetty

Details

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-384",
        "CWE-6"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:47:31Z"
}

References

Affected packages

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.4.0

Fixed

9.4.11.v20180605

Affected versions

9.*

9.4.0.v20161208

9.4.0.v20180619

9.4.1.v20170120

9.4.1.v20180619

9.4.2.v20170220

9.4.2.v20180619

9.4.3.v20170317

9.4.3.v20180619

9.4.4.v20170414

9.4.4.v20180619

9.4.5.v20170502

9.4.5.v20180619

9.4.6.v20170531

9.4.6.v20180619

9.4.7.RC0

9.4.7.v20170914

9.4.7.v20180619

9.4.8.v20171121

9.4.8.v20180619

9.4.9.v20180320

9.4.10.RC0

9.4.10.RC1

9.4.10.v20180503

Database specific

{
    "last_known_affected_version_range": "<= 9.4.10.v20180503"
}