First published: Tue Jun 22 2021(Updated: )
Eclipse Jetty could allow a physical attacker to bypass security restrictions, caused by a session ID is not invalidated flaw when an exception is thrown from the SessionListener#sessionDestroyed() method. By gaining access to the application on the shared computer, an attacker could exploit this vulnerability to bypass access restrictions.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins | <0:2.289.3.1630554997-1.el8 | 0:2.289.3.1630554997-1.el8 |
debian/jetty9 | 9.4.16-0+deb10u1 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 | |
redhat/jetty | <9.4.41 | 9.4.41 |
redhat/jetty | <10.0.3 | 10.0.3 |
redhat/jetty | <11.0.3 | 11.0.3 |
Eclipse Jetty | <=9.4.40 | |
Eclipse Jetty | >=10.0.0<=10.0.2 | |
Eclipse Jetty | >=11.0.0<=11.0.2 | |
Debian Debian Linux | =10.0 | |
Netapp Active Iq Unified Manager Linux | ||
Netapp Active Iq Unified Manager Windows | ||
NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.1 | |
Netapp E-series Santricity Web Services Web Services Proxy | ||
Netapp Element Plug-in For Vcenter Server | ||
Netapp Santricity Cloud Connector | ||
NetApp Snap Creator Framework | ||
Netapp Snapmanager Sap | ||
Oracle Autovue For Agile Product Lifecycle Management | =21.0.2 | |
Oracle Communications Element Manager | =8.2.2 | |
Oracle Communications Services Gatekeeper | =7.0 | |
Oracle Communications Session Report Manager | >=8.0.0.0<=8.2.4.0 | |
Oracle Communications Session Route Manager | >=8.0.0<=8.2.4.0 | |
Oracle REST Data Services | <21.3 | |
Oracle Siebel Core - Automation | <=21.9 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-34428 is a vulnerability in Eclipse Jetty that allows a physical attacker to bypass security restrictions caused by a session ID.
CVE-2021-34428 has a severity rating of low, with a severity value of 3.5.
The affected software includes Eclipse Jetty versions up to 9.4.41, 10.0.3, and 11.0.3. It also affects Debian Jetty9 versions 9.4.16-0+deb10u1, 9.4.16-0+deb10u3, 9.4.39-3+deb11u2, 9.4.50-4+deb12u1, and 9.4.53-1.
To fix CVE-2021-34428, upgrade Eclipse Jetty to version 9.4.41, 10.0.3, or 11.0.3. If you're using Debian Jetty9, upgrade to one of the patched versions mentioned in the affected software list.
You can find more information about CVE-2021-34428 in the references provided, including the GitHub security advisory, Red Hat Bugzilla report, and Red Hat support policy.