CVE-2018-12538: Session Fixation

June 22, 2018 (updated October 9, 2019)

When using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions.

References

www.securitytracker.com/id/1041194
bugs.eclipse.org/bugs/show_bug.cgi?id=536018
nvd.nist.gov/vuln/detail/CVE-2018-12538

Code Behaviors & Features

Detect and mitigate CVE-2018-12538 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →