CVE-2021-34428
Vulnerability Summary
Timeline
Description
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVSS Metrics
- v3.1•LOW•Score: 2.9CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
- v3.1•LOW•Score: 3.5CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- v2.0•LOW•Score: 3.6AV:L/AC:L/Au:N/C:P/I:P/A:N
EPSS Trends
Current EPSS score: 0.29%• Percentile: 53%
Techniques & Countermeasures
- CWE-613•Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Affected Systems
- debian•debian_linux
10.0
- eclipse•jetty
≤ 9.4.40 | ≥ 10.0.0, ≤ 10.0.2 | ≥ 11.0.0, ≤ 11.0.2
- org.eclipse.jetty•jetty-server
< 9.4.41 | ≥ 10.0.0, < 10.0.3 | ≥ 11.0.0, < 11.0.3
- netapp•active_iq_unified_manager
na
- netapp•e-series_santricity_os_controller
≥ 11.0, ≤ 11.70.1
- netapp•e-series_santricity_web_services
na
- netapp•element_plug-in_for_vcenter_server
na
- netapp•santricity_cloud_connector
na
- netapp•snap_creator_framework
na
- netapp•snapmanager
na
- oracle•autovue_for_agile_product_lifecycle_management
21.0.2
- oracle•communications_element_manager
8.2.2
- oracle•communications_services_gatekeeper
7.0
- oracle•communications_session_report_manager
≥ 8.0.0.0, ≤ 8.2.4.0
- oracle•communications_session_route_manager
≥ 8.0.0, ≤ 8.2.4.0
- oracle•rest_data_services
< 21.3
- oracle•siebel_core_-_automation
≤ 21.9
- the eclipse foundation•eclipse jetty
≥ 9.0.0, < unspecified | ≥ unspecified, ≤ 9.4.40 | ≥ 10.0.0, < unspecified | ≥ unspecified, ≤ 10.0.2 | ≥ 11.0.0, < unspecified | ≥ unspecified, ≤ 11.0.2
References (21)
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
- https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E
- https://www.debian.org/security/2021/dsa-4949
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210813-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-34428
- https://github.com/eclipse/jetty.project
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210813-0003