CVE-2021-34428 – org.eclipse.jetty:jetty-server

Package

Manager: maven
Name: org.eclipse.jetty:jetty-server
Vulnerable Version: >=0 <9.4.41 || >=10.0.0 <10.0.3 || >=11.0.0 <11.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00557 pctl0.67185

Details

SessionListener can prevent a session from being invalidated breaking logout ### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.

Metadata

Created: 2021-06-23T20:23:04Z
Modified: 2022-02-08T21:21:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-m6cp-vxjx-65j6
Finding: F076
Auto approve: 1