CVE-2021-34428

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Published: Jun 22, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-34428
GHSA: GHSA-m6cp-vxjx-65j6
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.5
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.6
AV:L/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
eclipse / jetty	11.0.0	11.0.2.x
eclipse / jetty	10.0.0	10.0.2.x
eclipse / jetty	-	9.4.40.x
debian / debian_linux	10.0	10.0.x
netapp / e-series_santricity_os_controller	11.0	11.70.1.x
oracle / communications_services_gatekeeper	7.0	7.0.x
oracle / autovue_for_agile_product_lifecycle_management	21.0.2	21.0.2.x
oracle / siebel_core_-_automation	-	21.9.x
oracle / communications_session_route_manager	8.0.0	8.2.4.0.x
oracle / communications_element_manager	8.2.2	8.2.2.x
oracle / rest_data_services	-	21.3
oracle / communications_session_report_manager	8.0.0.0	8.2.4.0.x
org.eclipse.jetty / jetty-server	-	9.4.41
org.eclipse.jetty / jetty-server	10.0.0	10.0.3
org.eclipse.jetty / jetty-server	11.0.0	11.0.3

Vulnerability Database

289,599

CVE-2021-34428