CVE-2021-34428

EPSS 0.51%
Veröffentlicht 22.06.2021 15:15:16
Zuletzt bearbeitet 21.11.2024 06:10:23
Quelle emo@eclipse.org
Teams Watchlist Login
Unerledigt Login

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 15

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version <= 9.4.40

Eclipse ≫ Jetty Version >= 10.0.0 <= 10.0.2

Eclipse ≫ Jetty Version >= 11.0.0 <= 11.0.2

Debian ≫ Debian Linux Version10.0

Netapp ≫ Active Iq Unified Manager Version- SwPlatformlinux

Netapp ≫ Active Iq Unified Manager Version- SwPlatformwindows

Netapp ≫ E-series Santricity Os Controller Version >= 11.0 <= 11.70.1

Netapp ≫ E-series Santricity Web Services Version- SwPlatformweb_services_proxy

Netapp ≫ Element Plug-in For Vcenter Server Version-

Netapp ≫ Santricity Cloud Connector Version-

Netapp ≫ Snap Creator Framework Version-

Netapp ≫ Snapmanager Version- SwPlatformsap

Oracle ≫ Autovue For Agile Product Lifecycle Management Version21.0.2

Oracle ≫ Communications Element Manager Version8.2.2

Oracle ≫ Communications Services Gatekeeper Version7.0

Oracle ≫ Communications Session Report Manager Version >= 8.0.0.0 <= 8.2.4.0

Oracle ≫ Communications Session Route Manager Version >= 8.0.0 <= 8.2.4.0

Oracle ≫ Rest Data Services SwEdition- Version < 21.3

Oracle ≫ Siebel Core - Automation Version <= 21.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.654

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.5	0.9	2.5	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	3.6	3.9	4.9	AV:L/AC:L/Au:N/C:P/I:P/A:N
emo@eclipse.org	2.9	0.4	2.5	CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory

Not Applicable

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://www.debian.org/security/2021/dsa-4949

Third Party Advisory

https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E