In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystems storage for the FileSessionDataStore.
Weakness
The J2EE application is configured to use an insufficient session ID length.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jetty | Eclipse | 9.4.0 (including) | 9.4.8 (including) |
| Jetty9 | Ubuntu | artful | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.securitytracker.com/id/1041194
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.securitytracker.com/id/1041194
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html