Session Identifier Vulnerability in Jetty by Eclipse Foundation
CVE-2006-6969

Currently unrated

Key Information:

Vendor: Jetty
Status: Jetty Http Server
Vendor: CVE Published:; 7 February 2007

What is CVE-2006-6969?

Prior versions of Jetty generate session identifiers using java.util.random, leading to predictability and vulnerability to brute force attacks. This flaw enables remote attackers to easily guess session identifiers, thereby bypassing authentication, and potentially opens pathways for cross-site request forgery attacks.

References

http://secunia.com/advisories/24070

third-party-advisoryx_refsource_SECUNIA

http://www.vupen.com/english/advisories/2007/0497

vdb-entryx_refsource_VUPEN

https://exchange.xforce.ibmcloud.com/vulnerabilities/32240

vdb-entryx_refsource_XF

Timeline

Vulnerability published
Feb 7, 2007
Vulnerability Reserved
Feb 7, 2007