CVE-2018-12538

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Published : 2018-06-22 19:29 Updated : 2019-10-09 23:34

6.5
CVSS Score More info
Score 6.5 / 10
6.5
Vendor Product Version URI
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:maintenance_0
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:maintenance_1
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc0
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc1
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc2
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:rc3
Eclipse Jetty 9.4.1 cpe:/a:eclipse:jetty:9.4.1
Eclipse Jetty 9.4.2 cpe:/a:eclipse:jetty:9.4.2
Eclipse Jetty 9.4.3 cpe:/a:eclipse:jetty:9.4.3
Eclipse Jetty 9.4.4 cpe:/a:eclipse:jetty:9.4.4
Eclipse Jetty 9.4.5 cpe:/a:eclipse:jetty:9.4.5
Eclipse Jetty 9.4.6 cpe:/a:eclipse:jetty:9.4.6
Eclipse Jetty 9.4.7 cpe:/a:eclipse:jetty:9.4.7
Eclipse Jetty 9.4.7 cpe:/a:eclipse:jetty:9.4.7:rc0
Eclipse Jetty 9.4.8 cpe:/a:eclipse:jetty:9.4.8
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:20161207
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:20161208
Eclipse Jetty 9.4.0 cpe:/a:eclipse:jetty:9.4.0:20180619
Eclipse Jetty 9.4.1 cpe:/a:eclipse:jetty:9.4.1:20170120
Eclipse Jetty 9.4.1 cpe:/a:eclipse:jetty:9.4.1:20180619
Eclipse Jetty 9.4.2 cpe:/a:eclipse:jetty:9.4.2:20170220
Eclipse Jetty 9.4.2 cpe:/a:eclipse:jetty:9.4.2:20180619
Eclipse Jetty 9.4.3 cpe:/a:eclipse:jetty:9.4.3:20170317
Eclipse Jetty 9.4.3 cpe:/a:eclipse:jetty:9.4.3:20180619
Eclipse Jetty 9.4.4 cpe:/a:eclipse:jetty:9.4.4:20170410
Eclipse Jetty 9.4.4 cpe:/a:eclipse:jetty:9.4.4:20170414
Eclipse Jetty 9.4.4 cpe:/a:eclipse:jetty:9.4.4:20180619
Eclipse Jetty 9.4.5 cpe:/a:eclipse:jetty:9.4.5:20170502
Eclipse Jetty 9.4.5 cpe:/a:eclipse:jetty:9.4.5:20180619
Eclipse Jetty 9.4.6 cpe:/a:eclipse:jetty:9.4.6:20170531
Eclipse Jetty 9.4.6 cpe:/a:eclipse:jetty:9.4.6:20180619
Eclipse Jetty 9.4.7 cpe:/a:eclipse:jetty:9.4.7:20170914
Eclipse Jetty 9.4.7 cpe:/a:eclipse:jetty:9.4.7:20180619
Eclipse Jetty 9.4.8 cpe:/a:eclipse:jetty:9.4.8:20171121
Eclipse Jetty 9.4.8 cpe:/a:eclipse:jetty:9.4.8:20180619
Netapp E-series Santricity Management Plug-ins - cpe:/a:netapp:e-series_santricity_management_plug-ins:-
Netapp E-series Santricity Web Services Proxy - cpe:/a:netapp:e-series_santricity_web_services_proxy:-
Netapp Element Software - cpe:/a:netapp:element_software:-
Netapp Hyper Converged Infrastructure - cpe:/a:netapp:hyper_converged_infrastructure:-
Netapp Oncommand Unified Manager - cpe:/a:netapp:oncommand_unified_manager:-
Netapp Santricity Cloud Connector - cpe:/a:netapp:santricity_cloud_connector:-
Netapp Snap Creator Framework - cpe:/a:netapp:snap_creator_framework:-
Netapp Snapcenter - cpe:/a:netapp:snapcenter:-
Netapp Snapmanager - cpe:/a:netapp:snapmanager:-
  1. Netapp (9) Search CVE
    1. Hyper Converged Infrastructure (1) Search CVE
      1. -
    2. Snap Creator Framework (1) Search CVE
      1. -
    3. Oncommand Unified Manager (1) Search CVE
      1. -
    4. Snapcenter (1) Search CVE
      1. -
    5. Element Software (1) Search CVE
      1. -
    6. Santricity Cloud Connector (1) Search CVE
      1. -
    7. E-series Santricity Management Plug-ins (1) Search CVE
      1. -
    8. Snapmanager (1) Search CVE
      1. -
    9. E-series Santricity Web Services Proxy (1) Search CVE
      1. -
  2. Eclipse (1) Search CVE
    1. Jetty (9) Search CVE
      1. 9.4.0
      2. 9.4.1
      3. 9.4.2
      4. 9.4.3
      5. 9.4.4
      6. 9.4.5
      7. 9.4.6
      8. 9.4.7
      9. 9.4.8

CWE

ID Name Description Links
CWE-384 Session Fixation Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. CVE

History of changes

Date Event
2019-03-21 14:58
2018-10-16 10:29
2018-08-13 18:55
2018-06-29 01:29
2018-06-22 19:29

New CVE