CVE-2021-34428 (Low) detected in jetty-server-9.4.8.v20171121.jar

[mend-bolt-for-github]

CVE-2021-34428 - Low Severity Vulnerability

Vulnerable Library - jetty-server-9.4.8.v20171121.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar

Dependency Hierarchy:

• spark-core-2.7.2.jar (Root Library)
  • ❌ jetty-server-9.4.8.v20171121.jar (Vulnerable Library)

Found in HEAD commit: 2544bb08a0eb663391f7c8b9c2d44bfd2ae9decd

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: 2021-06-22

URL: CVE-2021-34428

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Physical
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6cp-vxjx-65j6

Release Date: 2021-06-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3

---

Step up your Open Source Security Game with WhiteSource here