CVE-2018-12538 Vulnerability Details

  /     /     /  

CVE-2018-12538 Metadata Quick Info

CVE Published: 22/06/2018 | CVE Updated: 05/08/2024 | CVE Year: 2018
Source: eclipse | Vendor: The Eclipse Foundation | Product: Eclipse Jetty
Status : PUBLISHED

---

CVE-2018-12538 Description

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem\'s storage for the FileSessionDataStore.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-6
CWE Name: CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length
Source: The Eclipse Foundation

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).