8.8
CVSSv3

CVE-2018-12538

CVSSv4: NA | CVSSv3: 8.8 | CVSSv2: 6.5 | VMScore: 980 | EPSS: 0.0032 | KEV: Not Included
Published: 22/06/2018 Updated: 21/11/2024

Vulnerability Summary

In Eclipse Jetty versions 9.4.0 up to and including 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vulnerable Product Search on Vulmon Subscribe to Product

eclipse jetty

netapp e-series santricity management plug-ins -

netapp e-series santricity os controller

netapp e-series santricity web services proxy -

netapp element software -

netapp hyper converged infrastructure -

netapp oncommand system manager

netapp oncommand unified manager -

netapp santricity cloud connector -

netapp snap creator framework -

netapp snapcenter -

netapp snapmanager -

Vendor Advisories

Debian Bug report logs - #902774 jetty9: CVE-2018-12536 Package: jetty9; Maintainer for jetty9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for jetty9 is src:jetty9 (PTS, buildd, popcon) Reported by: Markus Koschany <apo@debianorg> Date: Sat, 30 Jun 2018 18:45:04 UTC Severity: g ...
Debian Bug report logs - #902953 jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 Package: jetty9; Maintainer for jetty9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for jetty9 is src:jetty9 (PTS, buildd, popcon) Reported by: Markus Koschany <apo@debianorg> Date: Sat, 30 Jun 201 ...
In Eclipse Jetty versions 940 through 948, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore ...