Andrewmcguinness

**Name of the Vulnerable Software and Affected Versions** Jetty versions 9.4.21 through 9.4.51 Jetty version 10.0.15 Jetty version 11.0.15 **Description** The issue is related to weak authentication in Jetty when using the `OpenIdAuthenticator` with a nested `LoginService`. If the `LoginService` revokes an already authenticated user, the current request will still treat the user as authenticated. This allows a request on a previously authenticated session to bypass authentication after it has been rejected by the `LoginService`. This impacts usages of the jetty-openid that have configured a nested `LoginService` capable of rejecting previously authenticated users. **Recommendations** For Jetty versions 9.4.21 through 9.4.51, upgrade to version 9.4.52 or later. For Jetty version 10.0.15, upgrade to version 10.0.16 or later. For Jetty version 11.0.15, upgrade to version 11.0.16 or later. As a temporary workaround, consider disabling the `OpenIdAuthenticator` until a patch is available. Restrict access to the vulnerable `LoginService` to minimize the risk of exploitation. Avoid using the `LoginService` in the affected API endpoint until the issue is resolved.