CVE-2018-12538 in Eclipse and NetApp Products
Published on June 22, 2018
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
Weakness Type
J2EE Misconfiguration: Insufficient Session-ID Length
The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.
Products Associated with CVE-2018-12538
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2018-12538 are published in these products:
Affected Versions
The Eclipse Foundation Eclipse Jetty:- Version unspecified and below 9.4.9 is affected.
- Version 9.4.0 and below unspecified is affected.
Exploit Probability
EPSS
0.52%
Percentile
66.17%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.