Описание
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
A flaw was found in Jetty that could allow a remote attacker to hijack a valid user's session due to a vulnerability in the "java.util.Random" class. When predictable naming patterns are used for session identifiers in Jetty, a remote attacker could hijack a victim's session and gain unauthorized access to the application.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | jetty | Not affected |
Показывать по
Дополнительная информация
Статус:
4.8 Medium
CVSS3
Связанные уязвимости
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 befo ...
4.8 Medium
CVSS3