CVE-2021-34428

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions <= 9.4.40 Eclipse Jetty versions <= 10.0.2 Eclipse Jetty versions <= 11.0.2

Description The issue is related to the SessionListener#sessionDestroyed() method, where if an exception is thrown, the session ID is not invalidated in the session ID manager. This can result in a session not being invalidated, particularly in deployments with clustered sessions and multiple contexts. It can lead to an application being left logged in on a shared computer. There is no known path for an attacker to induce such an exception, so they must rely on an application to throw it. The getLastAccessedTime() method may throw an IllegalStateException, potentially contrary to the servlet spec, causing applications to fail to log out.

Recommendations For Eclipse Jetty versions <= 9.4.40, catch all Throwables within the SessionListener#sessionDestroyed() implementations. For Eclipse Jetty versions <= 10.0.2, catch all Throwables within the SessionListener#sessionDestroyed() implementations. For Eclipse Jetty versions <= 11.0.2, catch all Throwables within the SessionListener#sessionDestroyed() implementations.