WEB APPLICATION VULNERABILITIES Standard & Premium

Jetty Session Fixation Vulnerability (CVE-2018-12538)

Description

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Remediation

References

Related Vulnerabilities

ProjectSend Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-9786)

WordPress Plugin FoxyPress Multiple Vulnerabilities (0.4.2.5)

WordPress Plugin WordPress Mobile Pack Information Disclosure (2.0.1)

Moodle Incorrect Authorization Vulnerability (CVE-2020-25701)

Vanilla Forums Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3613)

Severity

High

Classification

CVE-2018-12538 CWE-384 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities