Base Score

LOW3.5

CVE-2021-34428

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

VectorPHYSICAL

Published Byemo@eclipse.org

Published DateJun 22, 2021, 15:15

Affected Versions(3)

org.eclipse.jetty:jetty-server(Maven)

Introduced0

Fixed9.4.41

LimitN/A

org.eclipse.jetty:jetty-server(Maven)

Introduced10.0.0

Fixed10.0.3

LimitN/A

org.eclipse.jetty:jetty-server(Maven)

Introduced11.0.0

Fixed11.0.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.eclipse.jetty:jetty-server(Maven)	0	9.4.41	N/A
org.eclipse.jetty:jetty-server(Maven)	10.0.0	10.0.3	N/A
org.eclipse.jetty:jetty-server(Maven)	11.0.0	11.0.3	N/A

Weakness Type (CWE):CWE-613

CVSS Metrics

Base Score

3.5

Vector String

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

PHYSICAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

LOW3.5

Weakness Type (CWE):CWE-613

CVSS Metrics

Base Score

3.5

Vector String

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

PHYSICAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE