Session Management Flaw in Eclipse Jetty Affects Multiple Versions
CVE-2021-34428

2.9LOW

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 22 June 2021

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-34428?

In versions of Eclipse Jetty up to 9.4.40, 10.0.2, and 11.0.2, an issue arises when exceptions are thrown from the SessionListener#sessionDestroyed() method. This oversight prevents the session ID from being invalidated in the session ID manager. As a consequence, in environments with clustered sessions and multiple contexts, sessions can remain active unintentionally. This could leave applications running on shared computers susceptible to unauthorized access, as user sessions are not properly terminated.

Affected Version(s)

Eclipse Jetty 9.0.0

Eclipse Jetty <= 9.4.40

Eclipse Jetty 10.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

jetty_9.4.31_CVE-2021-34428
Created by Trinadh465

References

https://github.com/eclipse/jetty.project/security/advisor...

x_refsource_CONFIRM

https://lists.apache.org/thread.html/ref1c161a1621504e673...

mailing-listx_refsource_MLIST

https://www.debian.org/security/2021/dsa-4949

vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 1, 2023
👾
Exploit known to exist
Nov 1, 2023
Vulnerability published
Jun 22, 2021
Vulnerability Reserved
Jun 9, 2021

The Eclipse Foundation