ar-abed / sample

MIT License
0 stars 0 forks source link

CVE-2021-34428 (Low) detected in jetty-server-9.4.11.v20180605.jar #26

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2021-34428 - Low Severity Vulnerability

Vulnerable Library - jetty-server-9.4.11.v20180605.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /build.gradle

Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.11.v20180605/58353c2f27515b007fc83ae22002feb34fc24714/jetty-server-9.4.11.v20180605.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.11.v20180605/58353c2f27515b007fc83ae22002feb34fc24714/jetty-server-9.4.11.v20180605.jar

Dependency Hierarchy: - :x: **jetty-server-9.4.11.v20180605.jar** (Vulnerable Library)

Found in HEAD commit: 722089816e5192b667c19cb836256ef6da8be1ac

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: 2021-06-22

URL: CVE-2021-34428

CVSS 3 Score Details (2.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Physical - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6

Release Date: 2021-06-22

Fix Resolution: 9.4.41.v20210516


Step up your Open Source Security Game with Mend here