Vulnerability in Eclipse Jetty
CVE-2018-12538
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even dele…
EPSS: 0.027 (83.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Eclipse Jetty
- Netapp Element_software
- Netapp E-series_santricity_management_plug-ins
- Netapp E-series_santricity_os_controller
- Netapp E-series_santricity_web_services_proxy
- Netapp Hyper_converged_infrastructure
- Netapp Oncommand_system_manager
- Netapp Oncommand_unified_manager
- Netapp Santricity_cloud_connector
- Netapp Snapcenter
Weakness classification (CWE)
Public proof-of-concept exploits
References
- emo@eclipse.org (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_SECTRACK)
- emo@eclipse.org (x_refsource_MISC)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (x_refsource_MISC)
- emo@eclipse.org (x_refsource_CONFIRM, Third Party Advisory)
- emo@eclipse.org (x_refsource_CONFIRM, Issue Tracking, Vendor Advisory)
Frequently asked questions
- What is CVE-2018-12538?
- CVE-2018-12538 is a high-severity vulnerability in Eclipse Jetty, classified under CWE-6. CVSS score: 8.8/10. Published 2018-06-22.
- How severe is CVE-2018-12538?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2018-12538 known to be exploited?
- 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.