CVE-2018-12538
22.06.2018, 19:29
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.Enginsight
| Vendor | Product | Version |
|---|---|---|
| eclipse | jetty | 9.4.0 ≤ 𝑥 ≤ 9.4.8 |
| netapp | e-series_santricity_management_plug-ins | - |
| netapp | e-series_santricity_os_controller | 11.0 ≤ 𝑥 ≤ 11.40 |
| netapp | e-series_santricity_web_services_proxy | - |
| netapp | element_software | - |
| netapp | hyper_converged_infrastructure | - |
| netapp | oncommand_system_manager | 3.0.0 ≤ 𝑥 ≤ 3.1.3 |
| netapp | oncommand_unified_manager | - |
| netapp | santricity_cloud_connector | - |
| netapp | snap_creator_framework | - |
| netapp | snapcenter | - |
| netapp | snapmanager | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-6 - J2EE Misconfiguration: Insufficient Session-ID LengthThe J2EE application is configured to use an insufficient session ID length.
- CWE-384 - Session FixationAuthenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
References