// For flags

CVE-2018-12538

 

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

En Eclipse Jetty, desde la versiĆ³n 9.4.0 hasta la 9.4.8, al emplear el FileSessionDataStore opcional provisto por Jetty para el almacenamiento persistente de detalles HttpSession, es posible que un usuario malicioso acceda/secuestre otras HttpSessions e incluso elimine HttpSessions sin coincidencias presentes en el almacenamiento FileSystem para FileSessionDataStore.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-06-18 CVE Reserved
  • 2018-06-22 CVE Published
  • 2024-08-05 CVE Updated
  • 2025-05-23 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length
  • CWE-384: Session Fixation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Eclipse
Search vendor "Eclipse"
 Jetty
Search vendor "Eclipse" for product "Jetty"
 >= 9.4.0 <= 9.4.8
Search vendor "Eclipse" for product "Jetty" and version " >= 9.4.0 <= 9.4.8"
-
Affected
Netapp
Search vendor "Netapp"
 E-series Santricity Management Plug-ins
Search vendor "Netapp" for product "E-series Santricity Management Plug-ins"
--
Affected
Netapp
Search vendor "Netapp"
 E-series Santricity Os Controller
Search vendor "Netapp" for product "E-series Santricity Os Controller"
 >= 11.0 <= 11.40
Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.40"
-
Affected
Netapp
Search vendor "Netapp"
 E-series Santricity Web Services Proxy
Search vendor "Netapp" for product "E-series Santricity Web Services Proxy"
--
Affected
Netapp
Search vendor "Netapp"
 Element Software
Search vendor "Netapp" for product "Element Software"
--
Affected
Netapp
Search vendor "Netapp"
 Hyper Converged Infrastructure
Search vendor "Netapp" for product "Hyper Converged Infrastructure"
--
Affected
Netapp
Search vendor "Netapp"
 Oncommand System Manager
Search vendor "Netapp" for product "Oncommand System Manager"
 >= 3.0.0 <= 3.1.3
Search vendor "Netapp" for product "Oncommand System Manager" and version " >= 3.0.0 <= 3.1.3"
-
Affected
Netapp
Search vendor "Netapp"
 Oncommand Unified Manager
Search vendor "Netapp" for product "Oncommand Unified Manager"
--
Affected
Netapp
Search vendor "Netapp"
 Santricity Cloud Connector
Search vendor "Netapp" for product "Santricity Cloud Connector"
--
Affected
Netapp
Search vendor "Netapp"
 Snap Creator Framework
Search vendor "Netapp" for product "Snap Creator Framework"
--
Affected
Netapp
Search vendor "Netapp"
 Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Netapp
Search vendor "Netapp"
 Snapmanager
Search vendor "Netapp" for product "Snapmanager"
--
Affected