VulnerableCode Package Details - pkg:maven/org.eclipse.jetty/jetty-server@9.4.40

Search for packages

Vulnerability	Summary	Fixed by
VCID-q35p-8qhp-aqec Aliases: CVE-2021-34428 GHSA-m6cp-vxjx-65j6	SessionListener can prevent a session from being invalidated breaking logout ### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.	9.4.40.v20210413 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.4.41 Affected by 0 other vulnerabilities. 10.0.3 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.3 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-q35p-8qhp-aqec
Aliases:
CVE-2021-34428
GHSA-m6cp-vxjx-65j6

SessionListener can prevent a session from being invalidated breaking logout ### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.

9.4.40.v20210413
Affected by 4 other vulnerabilities.

9.4.41
Affected by 0 other vulnerabilities.

10.0.3
Affected by 4 other vulnerabilities.

11.0.3
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T16:57:31.993234+00:00	GHSA Importer	Affected by	VCID-q35p-8qhp-aqec	https://github.com/advisories/GHSA-m6cp-vxjx-65j6	38.1.0
2026-04-02T12:39:02.936774+00:00	GitLab Importer	Affected by	VCID-q35p-8qhp-aqec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-server/CVE-2021-34428.yml	38.0.0

2026-04-02T16:57:31.993234+00:00

GHSA Importer

Affected by

VCID-q35p-8qhp-aqec

https://github.com/advisories/GHSA-m6cp-vxjx-65j6

38.1.0

2026-04-02T12:39:02.936774+00:00

GitLab Importer

Affected by

VCID-q35p-8qhp-aqec

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-server/CVE-2021-34428.yml

38.0.0

purl	pkg:maven/org.eclipse.jetty/jetty-server@9.4.40
Tags	Ghost

Next non-vulnerable version	9.4.57.v20241219
Latest non-vulnerable version	12.1.6
Risk	1.6