574146 – (CVE-2021-34428) Jetty SessionListener can prevent a session from being invalidated breaking logout.

Bug 574146 (CVE-2021-34428) - Jetty SessionListener can prevent a session from being invalidated breaking logout.

Summary: Jetty SessionListener can prevent a session from being invalidated breaking l...

Status:	RESOLVED FIXED

Alias:	CVE-2021-34428

Product:	Community
Classification:	Eclipse Foundation
Component:	Vulnerability Reports (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Security vulnerabilitied reported against Eclipse projects
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2021-06-11 03:01 EDT by Lachlan Roberts
Modified:	2021-06-28 09:02 EDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lachlan Roberts

2021-06-11 03:01:15 EDT

For Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

CWEs
CWE-613

CVSS Score
2.9 Low
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Workarounds
The application should catch all Throwables within their SessionListener#sessionDestroyed() implementations.

This is currently fixed in Jetty 9.4.41, 10.0.3, and 11.0.3.

Comment 1 Wayne Beaton

2021-06-17 09:47:02 EDT

Do you have a security advisory, issue, or pull request that we can reference for more information?

Comment 2 Wayne Beaton

2021-06-17 10:21:27 EDT

Found it. 

https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6#advisory-comment-66773