For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
19
Affected Products
24
References
eclipse / jetty +18 more
| - |
| debian | debian_linux | - | - |
| netapp | active_iq_unified_manager | - | - |
| netapp | active_iq_unified_manager | - | - |
| netapp | e-series_santricity_os_controller | 11.0 - 11.70.1 | - |
| netapp | e-series_santricity_web_services | - | - |
| netapp | element_plug-in_for_vcenter_server | - | - |
| netapp | santricity_cloud_connector | - | - |
| netapp | snap_creator_framework | - | - |
| netapp | snapmanager | - | - |
| oracle | autovue_for_agile_product_lifecycle_management | - | - |
| oracle | communications_element_manager | - | - |
| oracle | communications_services_gatekeeper | - | - |
| oracle | communications_session_report_manager | 8.0.0.0 - 8.2.4.0 | - |
| oracle | communications_session_route_manager | 8.0.0 - 8.2.4.0 | - |
| oracle | rest_data_services | 21.3 | - |
| oracle | siebel_core_-_automation | 21.9 | - |
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Exploitability
Impact