CVE-2006-6969 – org.eclipse.jetty:jetty-server

Package

Manager: maven
Name: org.eclipse.jetty:jetty-server
Vulnerable Version: >=0 <4.2.27 || >=5.1.0 <5.1.12 || >=6.0.0 <6.0.2 || >=6.1.0pre1 <6.1.0pre3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0064 pctl0.69658

Details

Jetty Uses Predictable Session Identifiers Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

Metadata

Created: 2022-05-01T07:43:29Z
Modified: 2024-02-12T16:20:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json
CWE IDs: ["CWE-330"]
Alternative ID: GHSA-jg2x-r643-w2ch
Finding: F034
Auto approve: 1