CVE-2021-34428 — SessionListener can prevent a session from being invalidated breaking logout

Description

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

How to fix CVE-2021-34428

To remediate CVE-2021-34428, upgrade the affected package to a fixed version below.

—upgrade to 9.4.39-2 or later
—upgrade to 9.4.41 or later

Is CVE-2021-34428 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 9.4.39-2
from 0, < 9.4.41

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.5	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-34428
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-34428
WEBgithub.com/eclipse/jetty.project
WEBgithub.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6