A flaw was found in Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018
Created jetty tracking bugs for this issue: Affects: fedora-27 [bug 1595455]