CVE-2021-34428
Description
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse Jetty session ID not invalidated if SessionListener#sessionDestroyed() throws an exception, allowing persistent sessions on clustered deployments.
Vulnerability
In Eclipse Jetty versions <=9.4.40, <=10.0.2, and <=11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, the session ID is not invalidated in the session ID manager. This issue is particularly relevant on deployments with clustered sessions and multiple contexts, where the failure to invalidate can leave a session active [1][3].
Exploitation
There is no known path for an attacker to directly induce such an exception; exploitation relies on an application throwing an exception within its sessionDestroyed() implementation. Additionally, during the call to sessionDestroyed(), the getLastAccessedTime() method may throw an IllegalStateException, which is contrary to the Servlet specification and can cause logout failures in applications that were only tested in non-clustered environments [3].
Impact
A session that is not properly invalidated can result in an application used on a shared computer remaining logged in, potentially exposing sensitive data or allowing unauthorized access [1][3].
Mitigation
No fixed version has been disclosed in the available references. As a workaround, applications should catch all Throwable instances within their SessionListener#sessionDestroyed() implementations to prevent exceptions from breaking session invalidation [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | < 9.4.41 | 9.4.41 |
org.eclipse.jetty:jetty-serverMaven | >= 10.0.0, < 10.0.3 | 10.0.3 |
org.eclipse.jetty:jetty-serverMaven | >= 11.0.0, < 11.0.3 | 11.0.3 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: 9.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- github.com/advisories/GHSA-m6cp-vxjx-65j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-34428ghsaADVISORY
- www.debian.org/security/2021/dsa-4949ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20210813-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210813-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.