Jetty web server weak pseudo-random number generator - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Jetty web server weak pseudo-random number generator
Published: 05.02.2007
Source: BUGTRAQ
SecurityVulns ID: 7184
Type: remote
Level: 5/10
Description: Weak PRNG generator is used for session cookie making it's possible to spoof the session id.

Affected: JETTY : Jetty 5.1
JETTY : Jetty 4.2
JETTY : Jetty 6.0
JETTY : Jetty 6.1
CVE: CVE-2006-6969 (Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.)

Original document NGSSoftware Insight Security Research Advisory (NISR), Jetty Session ID Prediction (05.02.2007)

Discuss: Read or add your comments to this news (0 comments)