Description

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

Remediation

References

CVE-2018-12538

Related Vulnerabilities

WordPress Plugin Slider Revolution Responsive Arbitrary File Upload (3.0.95)

Magento Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2021-21027)

MyBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-19202)

WordPress Plugin Comment Rating SQL Injection and Security Bypass Weakness Vulnerabilities (2.9.32)

MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2023-45369)

Severity

High

Classification

CVE-2018-12538 CWE-384 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities