CVE-2021-34428
jetty: SessionListener can prevent a session from being invalidated breaking logout
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Para Eclipse Jetty versiones anteriores a 9.4.40 incluyéndola, versiones anteriores a 10.0.2 incluyéndola, versiones anteriores a 11.0.2 incluyéndola, si es lanzada una excepción desde el método SessionListener#sessionDestroyed(), el ID de sesión no es invalidado en el administrador de ID de sesión. En despliegues con sesiones agrupadas y múltiples contextos esto puede resultar en que una sesión no sea invalidada. Esto puede resultar en una aplicación usada en un ordenador compartido se quede con la sesión iniciada
A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.9.0 serves as a replacement for Red Hat AMQ Broker 7.8.2, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include bypass, denial of service, information leakage, resource exhaustion, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-06-09 CVE Reserved
- 2021-06-22 CVE Published
- 2023-11-01 First Exploit
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-613: Insufficient Session Expiration
CAPEC
References (15)
| URL | Date | SRC |
|---|---|---|
| https://github.com/Trinadh465/jetty_9.4.31_CVE-2021-34428 | 2023-11-01 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://www.debian.org/security/2021/dsa-4949 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2021-34428 | 2021-12-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1974891 | 2021-12-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | <= 9.4.40 Search vendor "Eclipse" for product "Jetty" and version " <= 9.4.40" | - |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | >= 10.0.0 <= 10.0.2 Search vendor "Eclipse" for product "Jetty" and version " >= 10.0.0 <= 10.0.2" | - |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | >= 11.0.0 <= 11.0.2 Search vendor "Eclipse" for product "Jetty" and version " >= 11.0.0 <= 11.0.2" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | linux |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | windows |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller" | >= 11.0 <= 11.70.1 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.70.1" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Web Services Search vendor "Netapp" for product "E-series Santricity Web Services" | - | web_services_proxy |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Element Plug-in For Vcenter Server Search vendor "Netapp" for product "Element Plug-in For Vcenter Server" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Santricity Cloud Connector Search vendor "Netapp" for product "Santricity Cloud Connector" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snap Creator Framework Search vendor "Netapp" for product "Snap Creator Framework" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | sap |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" | 21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.2.2 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | >= 8.0.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0.0 <= 8.2.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | >= 8.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Rest Data Services Search vendor "Oracle" for product "Rest Data Services" | < 21.3 Search vendor "Oracle" for product "Rest Data Services" and version " < 21.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Siebel Core - Automation Search vendor "Oracle" for product "Siebel Core - Automation" | <= 21.9 Search vendor "Oracle" for product "Siebel Core - Automation" and version " <= 21.9" | - |
Affected
| ||||||