GHSA-m6cp-vxjx-65j6

Suggest an improvement
Source
https://github.com/advisories/GHSA-m6cp-vxjx-65j6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m6cp-vxjx-65j6
Aliases
Published
2021-06-23T20:23:04Z
Modified
2024-02-17T05:35:56.664118Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
SessionListener can prevent a session from being invalidated breaking logout
Details

Impact

If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to sessionDestroyed, the getLastAccessedTime() throws an IllegalStateException, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out.

Workarounds

The application should catch all Throwables within their SessionListener#sessionDestroyed() implementations.

References

Affected packages

Maven / org.eclipse.jetty:jetty-server

Package

Name
org.eclipse.jetty:jetty-server
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.41

Affected versions

7.*

7.0.0.M0
7.0.0.M1
7.0.0.M2
7.0.0.M3
7.0.0.M4
7.0.0.RC0
7.0.0.RC1
7.0.0.RC2
7.0.0.RC3
7.0.0.RC4
7.0.0.RC5
7.0.0.RC6
7.0.0.v20091005
7.0.1.v20091125
7.0.2.RC0
7.0.2.v20100331
7.1.0.RC0
7.1.0.RC1
7.1.0.v20100505
7.1.1.v20100517
7.1.2.v20100523
7.1.3.v20100526
7.1.4.v20100610
7.1.5.v20100705
7.1.6.v20100715
7.2.0.RC0
7.2.0.v20101020
7.2.1.v20101111
7.2.2.v20101205
7.3.0.v20110203
7.3.1.v20110307
7.4.0.RC0
7.4.0.v20110414
7.4.1.v20110513
7.4.2.v20110526
7.4.3.v20110701
7.4.4.v20110707
7.4.5.v20110725
7.5.0.RC0
7.5.0.RC1
7.5.0.RC2
7.5.0.v20110901
7.5.1.v20110908
7.5.2.v20111006
7.5.3.v20111011
7.5.4.v20111024
7.6.0.RC0
7.6.0.RC1
7.6.0.RC2
7.6.0.RC3
7.6.0.RC4
7.6.0.RC5
7.6.0.v20120127
7.6.1.v20120215
7.6.2.v20120308
7.6.3.v20120416
7.6.4.v20120524
7.6.5.v20120716
7.6.6.v20120903
7.6.7.v20120910
7.6.8.v20121106
7.6.9.v20130131
7.6.10.v20130312
7.6.11.v20130520
7.6.12.v20130726
7.6.13.v20130916
7.6.14.v20131031
7.6.15.v20140411
7.6.16.v20140903
7.6.17.v20150415
7.6.18.v20150929
7.6.19.v20160209
7.6.20.v20160902
7.6.21.v20160908

8.*

8.0.0.M0
8.0.0.M1
8.0.0.M2
8.0.0.M3
8.0.0.RC0
8.0.0.v20110901
8.0.1.v20110908
8.0.2.v20111006
8.0.3.v20111011
8.0.4.v20111024
8.1.0.RC0
8.1.0.RC1
8.1.0.RC2
8.1.0.RC4
8.1.0.RC5
8.1.0.v20120127
8.1.1.v20120215
8.1.2.v20120308
8.1.3.v20120416
8.1.4.v20120524
8.1.5.v20120716
8.1.6.v20120903
8.1.7.v20120910
8.1.8.v20121106
8.1.9.v20130131
8.1.10.v20130312
8.1.11.v20130520
8.1.12.v20130726
8.1.13.v20130916
8.1.14.v20131031
8.1.15.v20140411
8.1.16.v20140903
8.1.17.v20150415
8.1.18.v20150929
8.1.19.v20160209
8.1.20.v20160902
8.1.21.v20160908
8.1.22.v20160922
8.2.0.v20160908

9.*

9.0.0.M0
9.0.0.M1
9.0.0.M2
9.0.0.M3
9.0.0.M4
9.0.0.M5
9.0.0.RC0
9.0.0.RC1
9.0.0.RC2
9.0.0.v20130308
9.0.1.v20130408
9.0.2.v20130417
9.0.3.v20130506
9.0.4.v20130625
9.0.5.v20130815
9.0.6.v20130930
9.0.7.v20131107
9.1.0.M0
9.1.0.RC0
9.1.0.RC1
9.1.0.RC2
9.1.0.v20131115
9.1.1.v20140108
9.1.2.v20140210
9.1.3.v20140225
9.1.4.v20140401
9.1.5.v20140505
9.1.6.v20160112
9.2.0.M0
9.2.0.M1
9.2.0.RC0
9.2.0.v20140526
9.2.1.v20140609
9.2.2.v20140723
9.2.3.v20140905
9.2.4.v20141103
9.2.5.v20141112
9.2.6.v20141205
9.2.7.v20150116
9.2.8.v20150217
9.2.9.v20150224
9.2.10.v20150310
9.2.11.M0
9.2.11.v20150529
9.2.12.M0
9.2.12.v20150709
9.2.13.v20150730
9.2.14.v20151106
9.2.15.v20160210
9.2.16.v20160414
9.2.17.v20160517
9.2.18.v20160721
9.2.19.v20160908
9.2.20.v20161216
9.2.21.v20170120
9.2.22.v20170606
9.2.23.v20171218
9.2.24.v20180105
9.2.25.v20180606
9.2.26.v20180806
9.2.27.v20190403
9.2.28.v20190418
9.2.29.v20191105
9.2.30.v20200428
9.3.0.M0
9.3.0.M1
9.3.0.M2
9.3.0.RC0
9.3.0.RC1
9.3.0.v20150612
9.3.1.v20150714
9.3.2.v20150730
9.3.3.v20150827
9.3.4.RC0
9.3.4.RC1
9.3.4.v20151007
9.3.5.v20151012
9.3.6.v20151106
9.3.7.RC0
9.3.7.RC1
9.3.7.v20160115
9.3.8.RC0
9.3.8.v20160314
9.3.9.M0
9.3.9.M1
9.3.9.v20160517
9.3.10.M0
9.3.10.v20160621
9.3.11.M0
9.3.11.v20160721
9.3.12.v20160915
9.3.13.M0
9.3.13.v20161014
9.3.14.v20161028
9.3.15.v20161220
9.3.16.v20170120
9.3.17.RC0
9.3.17.v20170317
9.3.18.v20170406
9.3.19.v20170502
9.3.20.v20170531
9.3.21.M0
9.3.21.RC0
9.3.21.v20170918
9.3.22.v20171030
9.3.23.v20180228
9.3.24.v20180605
9.3.25.v20180904
9.3.26.v20190403
9.3.27.v20190418
9.3.28.v20191105
9.3.29.v20201019
9.3.30.v20211001
9.4.0.M0
9.4.0.M1
9.4.0.RC0
9.4.0.RC1
9.4.0.RC2
9.4.0.RC3
9.4.0.v20161208
9.4.0.v20180619
9.4.1.v20170120
9.4.1.v20180619
9.4.2.v20170220
9.4.2.v20180619
9.4.3.v20170317
9.4.3.v20180619
9.4.4.v20170414
9.4.4.v20180619
9.4.5.v20170502
9.4.5.v20180619
9.4.6.v20170531
9.4.6.v20180619
9.4.7.RC0
9.4.7.v20170914
9.4.7.v20180619
9.4.8.v20171121
9.4.8.v20180619
9.4.9.v20180320
9.4.10.RC0
9.4.10.RC1
9.4.10.v20180503
9.4.11.v20180605
9.4.12.RC0
9.4.12.RC1
9.4.12.RC2
9.4.12.v20180830
9.4.13.v20181111
9.4.14.v20181114
9.4.15.v20190215
9.4.16.v20190411
9.4.17.v20190418
9.4.18.v20190429
9.4.19.v20190610
9.4.20.v20190813
9.4.21.v20190926
9.4.22.v20191022
9.4.23.v20191118
9.4.24.v20191120
9.4.25.v20191220
9.4.26.v20200117
9.4.27.v20200227
9.4.28.v20200408
9.4.29.v20200521
9.4.30.v20200611
9.4.31.v20200723
9.4.32.v20200930
9.4.33.v20201020
9.4.34.v20201102
9.4.35.v20201120
9.4.36.v20210114
9.4.37.v20210219
9.4.38.v20210224
9.4.39.v20210325
9.4.40.v20210413

Database specific

{
    "last_known_affected_version_range": "<= 9.4.40"
}

Maven / org.eclipse.jetty:jetty-server

Package

Name
org.eclipse.jetty:jetty-server
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.3

Affected versions

10.*

10.0.0
10.0.1
10.0.2

Database specific

{
    "last_known_affected_version_range": "<= 10.0.2"
}

Maven / org.eclipse.jetty:jetty-server

Package

Name
org.eclipse.jetty:jetty-server
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.3

Affected versions

11.*

11.0.0
11.0.1
11.0.2

Database specific

{
    "last_known_affected_version_range": "<= 11.0.2"
}