CVE-2006-6969

high

Description

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/32240

http://www.vupen.com/english/advisories/2007/0497

http://www.securityfocus.com/bid/22405

http://www.securityfocus.com/archive/1/459164/100/0/threaded

http://secunia.com/advisories/24070

http://osvdb.org/33108

http://fisheye.codehaus.org/changelog/jetty/?cs=1274

http://archives.neohapsis.com/archives/bugtraq/2007-02/0070.html

Details

Source: Mitre, NVD

Published: 2007-02-07

Updated: 2018-10-16

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High