Main Vulnerability Database Vulnerabilities #VU55642

Insufficient Session Expiration in Jetty - CVE-2021-34428

Published: August 8, 2021

Vulnerability identifier: #VU55642

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-34428

CWE-ID: CWE-613

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Eclipse

Affected software:
Jetty

Detailed vulnerability description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to insufficient session expiration issue. If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.

How to mitigate CVE-2021-34428

Install updates from vendor's website.

Sources

https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E

Insufficient Session Expiration in Jetty - CVE-2021-34428

Detailed vulnerability description

How to mitigate CVE-2021-34428

Sources

Please verify you're human