Vulnerability identifier: #VU80793
Vulnerability risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Jetty
Server applications /
Web servers
Vendor: Eclipse
Description
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an error in the revocation process. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Jetty: 9.0.0.v20130308 - 11.0.15
External links
http://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
http://github.com/jetty/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.