CVE-2021-34428
published 2021-06-22CVE-2021-34428: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID…
low3.5CVSS 3.1
AVPACLPRNUINSUCLILAN
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | jetty9 | < jetty9 9.4.39-2 (bookworm) | jetty9 9.4.39-2 (bookworm) |
| eclipse | jetty | <= 9.4.40 | — |
| eclipse | jetty | 10.0.0 – 10.0.2 | — |
| eclipse | jetty | 11.0.0 – 11.0.2 | — |
| netapp | e-series_santricity_os_controller | 11.0 – 11.70.1 | — |
| oracle | autovue_for_agile_product_lifecycle_management | — | — |
| oracle | communications_element_manager | — | — |
| oracle | communications_services_gatekeeper | — | — |
| oracle | communications_session_report_manager | 8.0.0.0 – 8.2.4.0 | — |
| oracle | communications_session_route_manager | 8.0.0 – 8.2.4.0 | — |
| oracle | rest_data_services | < 21.3 | 21.3 |
| oracle | siebel_core_automation | <= 21.9 | — |
| the_eclipse_foundation | eclipse_jetty | >= 10.0.0 < unspecified | unspecified |
| the_eclipse_foundation | eclipse_jetty | >= 11.0.0 < unspecified | unspecified |
| the_eclipse_foundation | eclipse_jetty | >= 9.0.0 < unspecified | unspecified |
| the_eclipse_foundation | eclipse_jetty | unspecified – 9.4.40 | — |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv3.5LOW