You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
CVE-2018-12538 - High Severity Vulnerability
Vulnerable Library - jetty-server-9.4.8.v20171121.jar
The core jetty server artifact.
path: /root/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar
Library home page: http://www.eclipse.org/jetty
Dependency Hierarchy:
Vulnerability Details
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
Publish Date: 2018-06-22
URL: CVE-2018-12538
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041194
Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).
9.2.25.v20180606, 9.3.24.v20180605
The vendor advisory is available at:
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: