PT-2007-1248 · Eclipse · Jetty
Published
2007-02-07
·
Updated
2022-05-01
·
CVE-2006-6969
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Jetty versions prior to 4.2.27
Jetty versions 5.1 prior to 5.1.12
Jetty versions 6.0 prior to 6.0.2
Jetty versions 6.1 prior to 6.1.0pre3
Description
The issue allows remote attackers to guess a session identifier through brute force attacks due to the generation of predictable session identifiers using java.util.random. This can lead to bypassing authentication requirements and possibly conducting cross-site request forgery attacks.
Recommendations
For Jetty versions prior to 4.2.27, update to version 4.2.27 or later.
For Jetty versions 5.1 prior to 5.1.12, update to version 5.1.12 or later.
For Jetty versions 6.0 prior to 6.0.2, update to version 6.0.2 or later.
For Jetty versions 6.1 prior to 6.1.0pre3, update to version 6.1.0pre3 or later.
Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jetty