Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qZzJ4LXI2NDMtdzJjaM2Uig

Jetty Uses Predictable Session Identifiers

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

Permalink: https://github.com/advisories/GHSA-jg2x-r643-w2ch
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZzJ4LXI2NDMtdzJjaM2Uig
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 3 months ago

Identifiers: GHSA-jg2x-r643-w2ch, CVE-2006-6969
References:

Repository: https://github.com/jetty-project/codehaus-jetty6
Blast Radius: 0.0

Affected Packages

maven:org.eclipse.jetty:jetty-server

Dependent packages: 3,819
Dependent repositories: 34,580
Downloads:
Affected Version Ranges: >= 6.1.0pre1, < 6.1.0pre3, >= 6.0.0, < 6.0.2, >= 5.1.0, < 5.1.12, < 4.2.27
Fixed in: 6.1.0pre3, 6.0.2, 5.1.12, 4.2.27
All affected versions:
All unaffected versions: 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 10.0.14, 10.0.15, 10.0.16, 10.0.17, 10.0.18, 10.0.19, 10.0.20, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.0.13, 11.0.14, 11.0.15, 11.0.16, 11.0.17, 11.0.18, 11.0.19, 11.0.20, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8