CVE-2018-12538
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
We have discovered 2,567 live websites that are affected by CVE-2018-12538.
Affected Software
| Product |  Jetty |
| Category | Web Servers |
| Vulnerable Domains | 2,567 live websites (100% of Jetty install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-6 J2EE Misconfiguration: Insufficient Session-ID LengthDetails
- Published - Jun 23, 2018
- Updated - Aug 5, 2024
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2018-12538 United States | 526 websites |
 Netherlands | 943 websites |
 Germany | 339 websites |
 Sweden | 91 websites |
 China | 77 websites |
 Singapore | 65 websites |
 Australia | 52 websites |
 France | 49 websites |
 Norway | 42 websites |
 Canada | 38 websites |
Website Distribution by TLD
Number of websites using CVE-2018-12538| .com | 541 websites |
| .net | 215 websites |
| .de | 149 websites |
| .org | 100 websites |
| .se | 44 websites |
| .edu | 36 websites |
| .com.au | 23 websites |
| .pl | 20 websites |
| .at | 17 websites |
| .fr | 17 websites |
Websites affected by CVE-2018-12538
Top websites that are affected by CVE-2018-12538. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.rocks | Netherlands | **,*** | |
| ******.***.***.br |  Brazil | **,*** | |
| *********.se | Sweden | **,*** | |
| *******.org | United States | **,*** | |
| ***.***.at |  Austria | **,*** | |
| **********.**.com | United States | **,*** | |
| *****.****.edu | United States | **,*** | |
| ***.**********.edu | United States | **,*** | |
| ******.***.es |  Spain | ***,*** | |
| ******.com |  Finland | ***,*** |
FAQ
CVE-2018-12538 is J2EE Misconfiguration: Insufficient Session-ID Length in Jetty
A total of 2,567 websites have been identified as vulnerable to CVE-2018-12538, based on global website indexing conducted by WebTechSurvey.
The Jetty is affected by the CVE-2018-12538 vulnerability.
Jetty versions up to 9.4.9 are vulnerable to CVE-2018-12538.
CVE-2018-12538 is resolved in version 9.4.9 of Jetty.
References
- http://www.securitytracker.com/id/1041194
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018