First published: Wed Feb 07 2007(Updated: )
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Jetty Jetty Http Server | =4.2.11 | |
Jetty Jetty Http Server | =6.1.0_pre2 | |
Jetty Jetty Http Server | =4.2.12 | |
Jetty Jetty Http Server | =5.1.11 | |
Jetty Jetty Http Server | =4.2.18 | |
Jetty Jetty Http Server | =6.0.1 | |
Jetty Jetty Http Server | =4.2.19 | |
Jetty Jetty Http Server | =4.2.16 | |
Jetty Jetty Http Server | =4.2.15 | |
Jetty Jetty Http Server | =4.2.9 | |
Jetty Jetty Http Server | =4.2.14 | |
Jetty Jetty Http Server | =4.2.17 | |
Jetty Jetty Http Server | =4.2.24 | |
maven/org.eclipse.jetty:jetty-server | >=6.1.0pre1<6.1.0pre3 | 6.1.0pre3 |
maven/org.eclipse.jetty:jetty-server | >=6.0.0<6.0.2 | 6.0.2 |
maven/org.eclipse.jetty:jetty-server | >=5.1.0<5.1.12 | 5.1.12 |
maven/org.eclipse.jetty:jetty-server | <4.2.27 | 4.2.27 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.