Vulnerability Details CVE-2021-34428
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.4%
CVSS Severity
CVSS v3 Score 2.9
CVSS v2 Score 3.6
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210813-0003/
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210813-0003/
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2021-34428
-
cpe:2.3:a:eclipse:jetty:1.0
-
cpe:2.3:a:eclipse:jetty:1.0.1
-
cpe:2.3:a:eclipse:jetty:1.1
-
cpe:2.3:a:eclipse:jetty:1.1.1
-
cpe:2.3:a:eclipse:jetty:1.3
-
cpe:2.3:a:eclipse:jetty:1.3.0
-
cpe:2.3:a:eclipse:jetty:10.0.0
-
cpe:2.3:a:eclipse:jetty:10.0.1
-
cpe:2.3:a:eclipse:jetty:10.0.2
-
cpe:2.3:a:eclipse:jetty:11.0.0
-
cpe:2.3:a:eclipse:jetty:11.0.1
-
cpe:2.3:a:eclipse:jetty:11.0.2
-
cpe:2.3:a:eclipse:jetty:3.0.0
-
cpe:2.3:a:eclipse:jetty:4.1.0
-
cpe:2.3:a:eclipse:jetty:4.2.20
-
cpe:2.3:a:eclipse:jetty:4.2.21
-
cpe:2.3:a:eclipse:jetty:4.2.23
-
cpe:2.3:a:eclipse:jetty:4.2.24
-
cpe:2.3:a:eclipse:jetty:4.2.25
-
cpe:2.3:a:eclipse:jetty:4.2.26
-
cpe:2.3:a:eclipse:jetty:4.2.27
-
cpe:2.3:a:eclipse:jetty:5.0.0
-
cpe:2.3:a:eclipse:jetty:5.1.0
-
cpe:2.3:a:eclipse:jetty:5.1.1
-
cpe:2.3:a:eclipse:jetty:5.1.10
-
cpe:2.3:a:eclipse:jetty:5.1.11
-
cpe:2.3:a:eclipse:jetty:5.1.12
-
cpe:2.3:a:eclipse:jetty:5.1.2
-
cpe:2.3:a:eclipse:jetty:5.1.3
-
cpe:2.3:a:eclipse:jetty:5.1.4
-
cpe:2.3:a:eclipse:jetty:5.1.5
-
cpe:2.3:a:eclipse:jetty:5.1.6
-
cpe:2.3:a:eclipse:jetty:5.1.7
-
cpe:2.3:a:eclipse:jetty:5.1.8
-
cpe:2.3:a:eclipse:jetty:5.1.9
-
cpe:2.3:a:eclipse:jetty:6.0.0
-
cpe:2.3:a:eclipse:jetty:6.0.1
-
cpe:2.3:a:eclipse:jetty:6.0.2
-
cpe:2.3:a:eclipse:jetty:6.1.0
-
cpe:2.3:a:eclipse:jetty:6.1.1
-
cpe:2.3:a:eclipse:jetty:6.1.10
-
cpe:2.3:a:eclipse:jetty:6.1.11
-
cpe:2.3:a:eclipse:jetty:6.1.12
-
cpe:2.3:a:eclipse:jetty:6.1.14
-
cpe:2.3:a:eclipse:jetty:6.1.15
-
cpe:2.3:a:eclipse:jetty:6.1.16
-
cpe:2.3:a:eclipse:jetty:6.1.17
-
cpe:2.3:a:eclipse:jetty:6.1.18
-
cpe:2.3:a:eclipse:jetty:6.1.19
-
cpe:2.3:a:eclipse:jetty:6.1.2
-
cpe:2.3:a:eclipse:jetty:6.1.20
-
cpe:2.3:a:eclipse:jetty:6.1.21
-
cpe:2.3:a:eclipse:jetty:6.1.22
-
cpe:2.3:a:eclipse:jetty:6.1.23
-
cpe:2.3:a:eclipse:jetty:6.1.24
-
cpe:2.3:a:eclipse:jetty:6.1.25
-
cpe:2.3:a:eclipse:jetty:6.1.26
-
cpe:2.3:a:eclipse:jetty:6.1.3
-
cpe:2.3:a:eclipse:jetty:6.1.4
-
cpe:2.3:a:eclipse:jetty:6.1.5
-
cpe:2.3:a:eclipse:jetty:6.1.6
-
cpe:2.3:a:eclipse:jetty:6.1.7
-
cpe:2.3:a:eclipse:jetty:6.1.8
-
cpe:2.3:a:eclipse:jetty:6.1.9
-
cpe:2.3:a:eclipse:jetty:7.0.0
-
cpe:2.3:a:eclipse:jetty:7.0.1
-
cpe:2.3:a:eclipse:jetty:7.0.2
-
cpe:2.3:a:eclipse:jetty:7.1.0
-
cpe:2.3:a:eclipse:jetty:7.1.1
-
cpe:2.3:a:eclipse:jetty:7.1.2
-
cpe:2.3:a:eclipse:jetty:7.1.3
-
cpe:2.3:a:eclipse:jetty:7.1.4
-
cpe:2.3:a:eclipse:jetty:7.1.5
-
cpe:2.3:a:eclipse:jetty:7.1.6
-
cpe:2.3:a:eclipse:jetty:7.2.0
-
cpe:2.3:a:eclipse:jetty:7.2.1
-
cpe:2.3:a:eclipse:jetty:7.2.2
-
cpe:2.3:a:eclipse:jetty:7.3.0
-
cpe:2.3:a:eclipse:jetty:7.3.1
-
cpe:2.3:a:eclipse:jetty:7.4.0
-
cpe:2.3:a:eclipse:jetty:7.4.1
-
cpe:2.3:a:eclipse:jetty:7.4.2
-
cpe:2.3:a:eclipse:jetty:7.4.3
-
cpe:2.3:a:eclipse:jetty:7.4.4
-
cpe:2.3:a:eclipse:jetty:7.4.5
-
cpe:2.3:a:eclipse:jetty:7.5.0
-
cpe:2.3:a:eclipse:jetty:7.5.1
-
cpe:2.3:a:eclipse:jetty:7.5.2
-
cpe:2.3:a:eclipse:jetty:7.5.3
-
cpe:2.3:a:eclipse:jetty:7.5.4
-
cpe:2.3:a:eclipse:jetty:7.6.0
-
cpe:2.3:a:eclipse:jetty:7.6.1
-
cpe:2.3:a:eclipse:jetty:7.6.10
-
cpe:2.3:a:eclipse:jetty:7.6.11
-
cpe:2.3:a:eclipse:jetty:7.6.12
-
cpe:2.3:a:eclipse:jetty:7.6.13
-
cpe:2.3:a:eclipse:jetty:7.6.14
-
cpe:2.3:a:eclipse:jetty:7.6.15
-
cpe:2.3:a:eclipse:jetty:7.6.16
-
cpe:2.3:a:eclipse:jetty:7.6.17
-
cpe:2.3:a:eclipse:jetty:7.6.18
-
cpe:2.3:a:eclipse:jetty:7.6.19
-
cpe:2.3:a:eclipse:jetty:7.6.2
-
cpe:2.3:a:eclipse:jetty:7.6.20
-
cpe:2.3:a:eclipse:jetty:7.6.21
-
cpe:2.3:a:eclipse:jetty:7.6.3
-
cpe:2.3:a:eclipse:jetty:7.6.4
-
cpe:2.3:a:eclipse:jetty:7.6.5
-
cpe:2.3:a:eclipse:jetty:7.6.6
-
cpe:2.3:a:eclipse:jetty:7.6.7
-
cpe:2.3:a:eclipse:jetty:7.6.8
-
cpe:2.3:a:eclipse:jetty:7.6.9
-
cpe:2.3:a:eclipse:jetty:8-historical
-
cpe:2.3:a:eclipse:jetty:8.0.0
-
cpe:2.3:a:eclipse:jetty:8.0.1
-
cpe:2.3:a:eclipse:jetty:8.0.2
-
cpe:2.3:a:eclipse:jetty:8.0.3
-
cpe:2.3:a:eclipse:jetty:8.0.4
-
cpe:2.3:a:eclipse:jetty:8.1.0
-
cpe:2.3:a:eclipse:jetty:8.1.1
-
cpe:2.3:a:eclipse:jetty:8.1.10
-
cpe:2.3:a:eclipse:jetty:8.1.11
-
cpe:2.3:a:eclipse:jetty:8.1.12
-
cpe:2.3:a:eclipse:jetty:8.1.13
-
cpe:2.3:a:eclipse:jetty:8.1.14
-
cpe:2.3:a:eclipse:jetty:8.1.15
-
cpe:2.3:a:eclipse:jetty:8.1.16
-
cpe:2.3:a:eclipse:jetty:8.1.17
-
cpe:2.3:a:eclipse:jetty:8.1.18
-
cpe:2.3:a:eclipse:jetty:8.1.19
-
cpe:2.3:a:eclipse:jetty:8.1.2
-
cpe:2.3:a:eclipse:jetty:8.1.20
-
cpe:2.3:a:eclipse:jetty:8.1.21
-
cpe:2.3:a:eclipse:jetty:8.1.22
-
cpe:2.3:a:eclipse:jetty:8.1.3
-
cpe:2.3:a:eclipse:jetty:8.1.4
-
cpe:2.3:a:eclipse:jetty:8.1.5
-
cpe:2.3:a:eclipse:jetty:8.1.6
-
cpe:2.3:a:eclipse:jetty:8.1.7
-
cpe:2.3:a:eclipse:jetty:8.1.8
-
cpe:2.3:a:eclipse:jetty:8.1.9
-
cpe:2.3:a:eclipse:jetty:8.2.0
-
cpe:2.3:a:eclipse:jetty:9.0.0
-
cpe:2.3:a:eclipse:jetty:9.0.1
-
cpe:2.3:a:eclipse:jetty:9.0.2
-
cpe:2.3:a:eclipse:jetty:9.0.3
-
cpe:2.3:a:eclipse:jetty:9.0.4
-
cpe:2.3:a:eclipse:jetty:9.0.5
-
cpe:2.3:a:eclipse:jetty:9.0.6
-
cpe:2.3:a:eclipse:jetty:9.0.7
-
cpe:2.3:a:eclipse:jetty:9.1.0
-
cpe:2.3:a:eclipse:jetty:9.1.1
-
cpe:2.3:a:eclipse:jetty:9.1.2
-
cpe:2.3:a:eclipse:jetty:9.1.3
-
cpe:2.3:a:eclipse:jetty:9.1.4
-
cpe:2.3:a:eclipse:jetty:9.1.5
-
cpe:2.3:a:eclipse:jetty:9.1.6
-
cpe:2.3:a:eclipse:jetty:9.2.0
-
cpe:2.3:a:eclipse:jetty:9.2.1
-
cpe:2.3:a:eclipse:jetty:9.2.10
-
cpe:2.3:a:eclipse:jetty:9.2.11
-
cpe:2.3:a:eclipse:jetty:9.2.12
-
cpe:2.3:a:eclipse:jetty:9.2.13
-
cpe:2.3:a:eclipse:jetty:9.2.14
-
cpe:2.3:a:eclipse:jetty:9.2.15
-
cpe:2.3:a:eclipse:jetty:9.2.16
-
cpe:2.3:a:eclipse:jetty:9.2.17
-
cpe:2.3:a:eclipse:jetty:9.2.18
-
cpe:2.3:a:eclipse:jetty:9.2.19
-
cpe:2.3:a:eclipse:jetty:9.2.2
-
cpe:2.3:a:eclipse:jetty:9.2.20
-
cpe:2.3:a:eclipse:jetty:9.2.21
-
cpe:2.3:a:eclipse:jetty:9.2.22
-
cpe:2.3:a:eclipse:jetty:9.2.23
-
cpe:2.3:a:eclipse:jetty:9.2.24
-
cpe:2.3:a:eclipse:jetty:9.2.25
-
cpe:2.3:a:eclipse:jetty:9.2.26
-
cpe:2.3:a:eclipse:jetty:9.2.27
-
cpe:2.3:a:eclipse:jetty:9.2.28
-
cpe:2.3:a:eclipse:jetty:9.2.3
-
cpe:2.3:a:eclipse:jetty:9.2.4
-
cpe:2.3:a:eclipse:jetty:9.2.5
-
cpe:2.3:a:eclipse:jetty:9.2.6
-
cpe:2.3:a:eclipse:jetty:9.2.7
-
cpe:2.3:a:eclipse:jetty:9.2.8
-
cpe:2.3:a:eclipse:jetty:9.2.9
-
cpe:2.3:a:eclipse:jetty:9.3.0
-
cpe:2.3:a:eclipse:jetty:9.3.1
-
cpe:2.3:a:eclipse:jetty:9.3.10
-
cpe:2.3:a:eclipse:jetty:9.3.11
-
cpe:2.3:a:eclipse:jetty:9.3.12
-
cpe:2.3:a:eclipse:jetty:9.3.13
-
cpe:2.3:a:eclipse:jetty:9.3.14
-
cpe:2.3:a:eclipse:jetty:9.3.15
-
cpe:2.3:a:eclipse:jetty:9.3.16
-
cpe:2.3:a:eclipse:jetty:9.3.17
-
cpe:2.3:a:eclipse:jetty:9.3.18
-
cpe:2.3:a:eclipse:jetty:9.3.19
-
cpe:2.3:a:eclipse:jetty:9.3.2
-
cpe:2.3:a:eclipse:jetty:9.3.20
-
cpe:2.3:a:eclipse:jetty:9.3.21
-
cpe:2.3:a:eclipse:jetty:9.3.22
-
cpe:2.3:a:eclipse:jetty:9.3.23
-
cpe:2.3:a:eclipse:jetty:9.3.24
-
cpe:2.3:a:eclipse:jetty:9.3.25
-
cpe:2.3:a:eclipse:jetty:9.3.26
-
cpe:2.3:a:eclipse:jetty:9.3.27
-
cpe:2.3:a:eclipse:jetty:9.3.29
-
cpe:2.3:a:eclipse:jetty:9.3.3
-
cpe:2.3:a:eclipse:jetty:9.3.4
-
cpe:2.3:a:eclipse:jetty:9.3.5
-
cpe:2.3:a:eclipse:jetty:9.3.6
-
cpe:2.3:a:eclipse:jetty:9.3.7
-
cpe:2.3:a:eclipse:jetty:9.3.8
-
cpe:2.3:a:eclipse:jetty:9.3.9
-
cpe:2.3:a:eclipse:jetty:9.4.0
-
cpe:2.3:a:eclipse:jetty:9.4.1
-
cpe:2.3:a:eclipse:jetty:9.4.10
-
cpe:2.3:a:eclipse:jetty:9.4.11
-
cpe:2.3:a:eclipse:jetty:9.4.12
-
cpe:2.3:a:eclipse:jetty:9.4.13
-
cpe:2.3:a:eclipse:jetty:9.4.14
-
cpe:2.3:a:eclipse:jetty:9.4.15
-
cpe:2.3:a:eclipse:jetty:9.4.16
-
cpe:2.3:a:eclipse:jetty:9.4.17
-
cpe:2.3:a:eclipse:jetty:9.4.18
-
cpe:2.3:a:eclipse:jetty:9.4.19
-
cpe:2.3:a:eclipse:jetty:9.4.2
-
cpe:2.3:a:eclipse:jetty:9.4.20
-
cpe:2.3:a:eclipse:jetty:9.4.21
-
cpe:2.3:a:eclipse:jetty:9.4.22
-
cpe:2.3:a:eclipse:jetty:9.4.23
-
cpe:2.3:a:eclipse:jetty:9.4.24
-
cpe:2.3:a:eclipse:jetty:9.4.25
-
cpe:2.3:a:eclipse:jetty:9.4.26
-
cpe:2.3:a:eclipse:jetty:9.4.27
-
cpe:2.3:a:eclipse:jetty:9.4.28
-
cpe:2.3:a:eclipse:jetty:9.4.29
-
cpe:2.3:a:eclipse:jetty:9.4.3
-
cpe:2.3:a:eclipse:jetty:9.4.30
-
cpe:2.3:a:eclipse:jetty:9.4.31
-
cpe:2.3:a:eclipse:jetty:9.4.32
-
cpe:2.3:a:eclipse:jetty:9.4.33
-
cpe:2.3:a:eclipse:jetty:9.4.34
-
cpe:2.3:a:eclipse:jetty:9.4.35
-
cpe:2.3:a:eclipse:jetty:9.4.36
-
cpe:2.3:a:eclipse:jetty:9.4.37
-
cpe:2.3:a:eclipse:jetty:9.4.38
-
cpe:2.3:a:eclipse:jetty:9.4.39
-
cpe:2.3:a:eclipse:jetty:9.4.4
-
cpe:2.3:a:eclipse:jetty:9.4.40
-
cpe:2.3:a:eclipse:jetty:9.4.5
-
cpe:2.3:a:eclipse:jetty:9.4.6
-
cpe:2.3:a:eclipse:jetty:9.4.7
-
cpe:2.3:a:eclipse:jetty:9.4.8
-
cpe:2.3:a:eclipse:jetty:9.4.9
-
cpe:2.3:a:netapp:active_iq_unified_manager:-
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.20
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.25
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30.5r3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.3r2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.5
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.1
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.1
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.70.1
-
cpe:2.3:a:netapp:e-series_santricity_web_services:-
-
cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-
-
cpe:2.3:a:netapp:santricity_cloud_connector:-
-
cpe:2.3:a:netapp:snap_creator_framework:-
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2
-
cpe:2.3:a:oracle:communications_element_manager:8.2.2
-
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0
-
cpe:2.3:a:oracle:communications_session_report_manager:8.0.0.0
-
cpe:2.3:a:oracle:communications_session_report_manager:8.1.0
-
cpe:2.3:a:oracle:communications_session_report_manager:8.1.1
-
cpe:2.3:a:oracle:communications_session_report_manager:8.2.0
-
cpe:2.3:a:oracle:communications_session_report_manager:8.2.1
-
cpe:2.3:a:oracle:communications_session_report_manager:8.2.2
-
cpe:2.3:a:oracle:communications_session_report_manager:8.2.2.1
-
cpe:2.3:a:oracle:communications_session_report_manager:8.2.4.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.0.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.1.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.1.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.4
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.4.0
-
cpe:2.3:a:oracle:rest_data_services:11.2.0.4
-
cpe:2.3:a:oracle:rest_data_services:12.1.0.2
-
cpe:2.3:a:oracle:rest_data_services:12.2.0.1
-
cpe:2.3:a:oracle:rest_data_services:18c
-
cpe:2.3:a:oracle:rest_data_services:19c
-
cpe:2.3:a:oracle:rest_data_services:20.4.3.050.1904
-
cpe:2.3:a:oracle:rest_data_services:21.2
-
cpe:2.3:a:oracle:rest_data_services:21.2.4
-
cpe:2.3:a:oracle:siebel_core_-_automation:-
-
cpe:2.3:a:oracle:siebel_core_-_automation:21.5
-
cpe:2.3:a:oracle:siebel_core_-_automation:21.9
-
cpe:2.3:o:debian:debian_linux:10.0