CVE-2018-12538
https://notcve.org/view.php?id=CVE-2018-12538
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. En Eclipse Jetty, desde la versión 9.4.0 hasta la 9.4.8, al emplear el FileSessionDataStore opcional provisto por Jetty para el almacenamiento persistente de detalles HttpSession, es posible que un usuario malicioso acceda/secuestre otras HttpSessions e incluso elimine HttpSessions sin coincidencias presentes en el almacenamiento FileSystem para FileSessionDataStore. • http://www.securitytracker.com/id/1041194 https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018 https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E https://security.netapp.com/advisory/ntap-20181014-0001 https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html • CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length CWE-384: Session Fixation •