In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 03:45
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.securitytracker.com/id/1041194 - Third Party Advisory, VDB Entry | |
References | () https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018 - Issue Tracking, Vendor Advisory | |
References | () https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E - | |
References | () https://security.netapp.com/advisory/ntap-20181014-0001/ - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2020.html - | |
References | () https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html - |
07 Nov 2023, 02:52
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-06-22 19:29
Updated : 2024-11-21 03:45
NVD link : CVE-2018-12538
Mitre link : CVE-2018-12538
CVE.ORG link : CVE-2018-12538
JSON object : View
Products Affected
netapp
- oncommand_system_manager
- e-series_santricity_web_services_proxy
- oncommand_unified_manager
- element_software
- snapmanager
- e-series_santricity_management_plug-ins
- santricity_cloud_connector
- snapcenter
- e-series_santricity_os_controller
- hyper_converged_infrastructure
- snap_creator_framework
eclipse
- jetty