CVE-2021-34428
EUVD-2021-135422.06.2021, 15:15
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| eclipse | jetty | 𝑥 ≤ 9.4.40 |
| eclipse | jetty | 10.0.0 ≤ 𝑥 ≤ 10.0.2 |
| eclipse | jetty | 11.0.0 ≤ 𝑥 ≤ 11.0.2 |
| debian | debian_linux | 10.0 |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | e-series_santricity_os_controller | 11.0 ≤ 𝑥 ≤ 11.70.1 |
| netapp | e-series_santricity_web_services | - |
| netapp | element_plug-in_for_vcenter_server | - |
| netapp | santricity_cloud_connector | - |
| netapp | snap_creator_framework | - |
| netapp | snapmanager | - |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | communications_element_manager | 8.2.2 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_session_report_manager | 8.0.0.0 ≤ 𝑥 ≤ 8.2.4.0 |
| oracle | communications_session_route_manager | 8.0.0 ≤ 𝑥 ≤ 8.2.4.0 |
| oracle | rest_data_services | 𝑥 < 21.3 |
| oracle | siebel_core_-_automation | 𝑥 ≤ 21.9 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| jetty |
| ||||||||||||||||||||||||
| jetty8 |
| ||||||||||||||||||||||||
| jetty9 |
|
Common Weakness Enumeration
References