Session Hijacking Vulnerability in Eclipse Jetty by Eclipse Foundation
CVE-2018-12538

8.8HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 22 June 2018

What is CVE-2018-12538?

A vulnerability exists in certain versions of Eclipse Jetty where a malicious actor can exploit the FileSessionDataStore, which is used for persistent storage of HttpSession data. This flaw allows unauthorized users to access and hijack other users' HttpSessions and potentially delete unmatched sessions from the filesystem. Such an exploit poses a significant risk for web applications relying on the affected Jetty versions, making it essential for users to upgrade to a secure version to mitigate these risks.

Affected Version(s)

Eclipse Jetty < 9.4.9

Eclipse Jetty 9.4.0

References

http://www.securitytracker.com/id/1041194

vdb-entryx_refsource_SECTRACK

https://www.oracle.com/technetwork/security-advisory/cpuo...

x_refsource_MISC

https://lists.apache.org/thread.html/r1b103833cb5bc8466e2...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 22, 2018
Vulnerability Reserved
Jun 18, 2018

The Eclipse Foundation

What is CVE-2018-12538?

Affected Version(s)

References

CVSS V3.1

Timeline