Vulnerability Description
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | <= 9.4.40 |
| Debian | Debian Linux | 10.0 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.1 |
| Netapp | E-Series Santricity Web Services | - |
| Netapp | Element Plug-In For Vcenter Server | - |
| Netapp | Santricity Cloud Connector | - |
| Netapp | Snap Creator Framework | - |
| Netapp | Snapmanager | - |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 |
| Oracle | Communications Element Manager | 8.2.2 |
| Oracle | Communications Services Gatekeeper | 7.0 |
| Oracle | Communications Session Report Manager | >= 8.0.0.0, <= 8.2.4.0 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.4.0 |
| Oracle | Rest Data Services | < 21.3 |
| Oracle | Siebel Core - Automation | <= 21.9 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6Third Party Advisory
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589
- https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0
- https://security.netapp.com/advisory/ntap-20210813-0003/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4949Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlNot ApplicableThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6Third Party Advisory
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9
FAQ
What is CVE-2021-34428?
CVE-2021-34428 is a vulnerability with a CVSS score of 2.9 (LOW). For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manag...
How severe is CVE-2021-34428?
CVE-2021-34428 has been rated LOW with a CVSS base score of 2.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-34428?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp E-Series Santricity Os Controller, Netapp E-Series Santricity Web Services.