CVE-2018-12538

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hyper_converged_infrastructure:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:45

Type Values Removed Values Added
References () http://www.securitytracker.com/id/1041194 - Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1041194 - Third Party Advisory, VDB Entry
References () https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018 - Issue Tracking, Vendor Advisory () https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018 - Issue Tracking, Vendor Advisory
References () https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E - () https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E -
References () https://security.netapp.com/advisory/ntap-20181014-0001/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20181014-0001/ - Third Party Advisory
References () https://www.oracle.com/security-alerts/cpuoct2020.html - () https://www.oracle.com/security-alerts/cpuoct2020.html -
References () https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html - () https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html -

07 Nov 2023, 02:52

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E', 'name': '[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image', 'tags': [], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E -

Information

Published : 2018-06-22 19:29

Updated : 2024-11-21 03:45


NVD link : CVE-2018-12538

Mitre link : CVE-2018-12538

CVE.ORG link : CVE-2018-12538


JSON object : View

Products Affected

netapp

  • oncommand_system_manager
  • e-series_santricity_web_services_proxy
  • oncommand_unified_manager
  • element_software
  • snapmanager
  • e-series_santricity_management_plug-ins
  • santricity_cloud_connector
  • snapcenter
  • e-series_santricity_os_controller
  • hyper_converged_infrastructure
  • snap_creator_framework

eclipse

  • jetty
CWE
CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length

CWE-384

Session Fixation