QwikSec

Security Database

CVE

CWE

Training

CVE-2018-12538

Published: Jun 22, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Vendor	Product	Versions
The Eclipse Foundation	Eclipse Jetty	affected `unspecified - < 9.4.9` affected `9.4.0 - < unspecified`

Weaknesses (CWE)

References

vdb-entry

x_refsource_SECTRACK

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

x_refsource_MISC

[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20181014-0001/

x_refsource_CONFIRM

https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.