Описание
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | jetty-eclipse | Not affected | ||
| Red Hat Enterprise Linux 7 | jetty | Not affected | ||
| Red Hat Fuse 7 | jetty | Not affected | ||
| Red Hat JBoss Fuse 6 | jetty | Not affected | ||
| Red Hat Satellite 5 | jetty | Not affected | ||
| Red Hat Software Collections | rh-java-common-jetty | Not affected |
Показывать по
Дополнительная информация
Статус:
5.6 Medium
CVSS3
Связанные уязвимости
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional ...
Access and integrity issue within Eclipse Jetty
Уязвимость реализации класса FileSessionDataStore HTTP-сервера Jetty, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
5.6 Medium
CVSS3