CVE-2021-34428

Name	CVE-2021-34428
Description	For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-4949-1
Debian Bugs	990578

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jetty (PTS)	jessie, jessie (lts)	6.1.26-4+deb8u2	fixed
jetty8 (PTS)	jessie, jessie (lts)	8.1.16-4+deb8u1	fixed
jetty9 (PTS)	stretch (security), stretch (lts), stretch	9.2.30-0+deb9u2	fixed
	buster (security), buster, buster (lts)	9.4.50-4+deb10u2	fixed
	bullseye (security), bullseye	9.4.50-4+deb11u2	fixed
	bookworm (security), bookworm	9.4.50-4+deb12u3	fixed
	sid, trixie	9.4.56-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
jetty	source	jessie	(not affected)
jetty	source	(unstable)	(unfixed)
jetty8	source	jessie	(not affected)
jetty8	source	(unstable)	(unfixed)
jetty9	source	stretch	(not affected)
jetty9	source	buster	9.4.16-0+deb10u1	DSA-4949-1
jetty9	source	(unstable)	9.4.39-2		990578

Notes

[stretch] - jetty9 <not-affected> (vulnerable code is not present)
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
https://github.com/eclipse/jetty.project/issues/6277
https://github.com/eclipse/jetty.project/commit/087f486b4461746b4ded45833887b3ccb136ee85 (jetty-9.4.x)
[jessie] - jetty <not-affected> (vulnerable code is not present)
[jessie] - jetty8 <not-affected> (Vulnerable code is not present)