For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. The vulnerability is classified as low severity with a CVSS score of 2.9.
Risk to organizations includes unauthorized access to sensitive information if sessions are not properly terminated. Given the nature of the vulnerability, it is crucial to recognize that even low-severity vulnerabilities can have significant implications in shared environments.
Organizations should prioritize addressing this vulnerability in their patch cycles, as failure to do so may leave systems exposed to potential attacks.
Current exploitation status indicates that while there are no known exploits available in public databases, a proof of concept has been found in a GitHub repository. Organizations should remain vigilant and consider potential risks associated with this vulnerability.
Organizations should prioritize patching immediately.
Vulnerability Details
CVE-2021-34428 affects Eclipse Jetty versions <= 9.4.40, <= 10.0.2, and <= 11.0.2. The vulnerability occurs when an exception is thrown in the SessionListener#sessionDestroyed() method, leading to failure in session ID invalidation. This results in a session remaining active, which can be exploited in shared environments.
The vulnerability is classified under CWE-613, which pertains to the failure to invalidate session IDs.
Technical Analysis
The root cause of this vulnerability is an exception handling flaw that prevents proper session invalidation. The attack vector is physical, requiring a user with access to the affected system to exploit the flaw.
The attack complexity is high, and no privileges are required to reproduce the issue. User interaction is necessary for exploitation, as an attacker must be able to trigger the exception.
Risk & Impact Analysis
The real-world risk of this vulnerability lies in the potential for unauthorized access to applications where users remain logged in after they should have been logged out. This could lead to data breaches or unauthorized actions being taken on behalf of legitimate users.
The blast radius can be significant in multi-user environments or applications where sensitive information is available. Organizations should assess their deployment configurations to understand the full impact.
Urgency is assessed as low, but organizations should act as part of their regular maintenance routines to prevent potential exploitation.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
Affected versions include Eclipse Jetty versions <= 9.4.40, <= 10.0.2, and <= 11.0.2. Organizations should verify their current version and apply patches as soon as possible.
Mitigation & Remediation
Organizations should apply the latest patches from the vendor to mitigate this vulnerability. The following link provides access to the required updates: application security assessment for comprehensive coverage.
Detection Guidance
Monitor logs for any anomalies related to session management. Behavioral indicators of unauthorized access should be flagged for further investigation.
AppSecure Threat Intelligence Insight
This vulnerability highlights the importance of robust session management in web applications. Security teams should focus on implementing rigorous testing methodologies. For further reading on security testing, please refer to the following articles: penetration testing methodology, vulnerability management program design, and web application penetration testing to fortify defenses.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)