CVE-2018-12538

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.4.0 through 9.4.8

Description The issue is related to the use of the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details. A malicious user can access or hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. This is due to an error in the J2EE configuration. Exploitation of the issue may allow a remote attacker to gain unauthorized access to protected information by managing sessions using the HttpSessions component from the FileSystem storage.

Recommendations For Eclipse Jetty versions 9.4.0 through 9.4.8, consider disabling the use of the FileSessionDataStore for persistent storage of HttpSession details until a patch is available. Restrict access to the FileSystem's storage for the FileSessionDataStore to minimize the risk of exploitation. Avoid using the HttpSessions component from the FileSystem storage in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.