3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-34428

GHSA ID

GHSA-m6cp-vxjx-65j6

EPSS Score

0.6523%

CWE

CWE-613

Published

6/23/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-34428

CVE-2021-34428: SessionListener can prevent a session from being invalidated breaking logout

Impact

If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to sessionDestroyed, the getLastAccessedTime() throws an IllegalStateException, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out.

Workarounds

The application should catch all Throwables within their SessionListener#sessionDestroyed() implementations.

(GitHub Advisory)

3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-34428

GHSA ID

GHSA-m6cp-vxjx-65j6

EPSS Score

0.6523%

CWE

CWE-613

Published

6/23/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty:jetty-server	maven	<= 9.4.40	9.4.41
org.eclipse.jetty:jetty-server	maven	>= 10.0.0, <= 10.0.2	10.0.3
org.eclipse.jetty:jetty-server	maven	>= 11.0.0, <= 11.0.2	11.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper exception handling during session invalidation. The Session.invalidate() method and its call stack (including SessionHandler.doInvalidate()) are responsible for: 1) Notifying SessionListeners 2) Removing the session ID from the session manager. If any SessionListener's sessionDestroyed() method throws an exception before the session ID removal occurs, the invalidation process aborts prematurely. The patched versions (9.4.41+/10.0.3+/11.0.3+) would contain try-catch blocks around listener notifications to ensure session ID removal happens regardless of listener exceptions. These functions appear in stack traces during logout attempts when listeners throw exceptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* *n *x**ption is t*rown *rom t** `S*ssionList*n*r#s*ssion**stroy**()` m*t*o*, t**n t** s*ssion I* is not inv*li**t** in t** s*ssion I* m*n***r. On **ploym*nts wit* *lust*r** s*ssions *n* multipl* *ont*xts t*is **n r*sult in * s*ssion n

Reasoning

T** vuln*r**ility st*ms *rom improp*r *x**ption **n*lin* *urin* s*ssion inv*li**tion. T** `S*ssion.inv*li**t*()` m*t*o* *n* its **ll st**k (in*lu*in* `S*ssion**n*l*r.*oInv*li**t*()`) *r* r*sponsi*l* *or: *) Noti*yin* `S*ssionList*n*rs` *) R*movin* t*

3.5

Basic Information

Concerned about an active attack path?

CVE-2021-34428: SessionListener can prevent a session from being invalidated breaking logout

Impact

Workarounds

3.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI