CVE-2018-12538

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hyper_converged_infrastructure:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:*:*:*

History

07 Nov 2023, 02:52

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E', 'name': '[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image', 'tags': [], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E -

Information

Published : 2018-06-22 19:29

Updated : 2024-02-28 16:25


NVD link : CVE-2018-12538

Mitre link : CVE-2018-12538

CVE.ORG link : CVE-2018-12538


JSON object : View

Products Affected

netapp

  • element_software
  • e-series_santricity_os_controller
  • e-series_santricity_web_services_proxy
  • e-series_santricity_management_plug-ins
  • oncommand_unified_manager
  • hyper_converged_infrastructure
  • santricity_cloud_connector
  • oncommand_system_manager
  • snap_creator_framework
  • snapmanager
  • snapcenter

eclipse

  • jetty
CWE
CWE-384

Session Fixation

CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length