CVE-2018-12538

CWE-6 CWE-384 CWE-287 — Improper Authentication8 documents7 sources

Severity

8.8HIGH

EPSS

0.5%

top 33.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Jetty Eclipse Jetty Netapp E-series Santricity OS Controller +1 more

Timeline

PublishedJun 22

Latest updateOct 16

Description

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶Mavenorg.eclipse.jetty:jetty-server9.4.0 — 9.4.11.v20180605

▶CVEListV5the_eclipse_foundation/eclipse_jettyunspecified — 9.4.9+1

▶NVDeclipse/jetty9.4.0 — 9.4.8

▶NVDnetapp/oncommand_system_manager3.0.0 — 3.1.3

▶NVDnetapp/e-series_santricity_os_controller11.0 — 11.40

🔴Vulnerability Details

GHSA

Access and integrity issue within Eclipse Jetty↗2018-10-16

▶

OSV

Access and integrity issue within Eclipse Jetty↗2018-10-16

▶

CVEList

CVE-2018-12538: In Eclipse Jetty versions 9↗2018-06-22

▶

📋Vendor Advisories

Red Hat

jetty: HttpSessions access/hijack in the FileSystem's storage for the FileSessionDataStore.↗2018-06-18

▶

Debian

CVE-2018-12538: jetty9 - In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty pro...↗2018

▶

💬Community

Bugzilla

CVE-2018-12538 jetty: HttpSessions access/hijack in the FileSystem's storage for the FileSessionDataStore.↗2018-06-26

▶

Bugzilla

CVE-2018-12538 jetty: HttpSessions access/hijack in the FileSystem's storage for the FileSessionDataStore. [fedora-27]↗2018-06-26

▶