Session Hijacking Vulnerability in Eclipse Jetty by Eclipse Foundation
CVE-2018-12538

8.8HIGH

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Jetty
Vendor
CVE Published:
22 June 2018

What is CVE-2018-12538?

A vulnerability exists in certain versions of Eclipse Jetty where a malicious actor can exploit the FileSessionDataStore, which is used for persistent storage of HttpSession data. This flaw allows unauthorized users to access and hijack other users' HttpSessions and potentially delete unmatched sessions from the filesystem. Such an exploit poses a significant risk for web applications relying on the affected Jetty versions, making it essential for users to upgrade to a secure version to mitigate these risks.

Affected Version(s)

Eclipse Jetty < 9.4.9

Eclipse Jetty 9.4.0

References

http://www.securitytracker.com/id/1041194
vdb-entryx_refsource_SECTRACK
https://www.oracle.com/technetwork/security-advisory/cpuo...
x_refsource_MISC
https://lists.apache.org/thread.html/r1b103833cb5bc8466e2...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
The Cyber Security Vulnerability Database.