CVE-2009-0486: CSRF
First published: Mon Feb 09 2009(Updated: )
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Bugzilla | =3.3.2 | |
| Mozilla Bugzilla | =3.0.7 | |
| Mozilla Bugzilla | =3.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2009-0486?
CVE-2009-0486 has a medium severity rating due to its potential to allow remote attackers to bypass CSRF protection.
How do I fix CVE-2009-0486?
To fix CVE-2009-0486, update Bugzilla to a version that is not affected, such as 3.4 or later.
Which versions of Bugzilla are affected by CVE-2009-0486?
Versions 3.2.1, 3.0.7, and 3.3.2 of Bugzilla are affected by CVE-2009-0486.
What type of attack does CVE-2009-0486 facilitate?
CVE-2009-0486 facilitates attacks that could allow the bypassing of cross-site request forgery (CSRF) protections.
Is CVE-2009-0486 specific to certain environments?
Yes, CVE-2009-0486 is specifically an issue when Bugzilla is running under mod_perl.
- collector/nvd-historical
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- vendor/mozilla
- canonical/mozilla bugzilla
- version/mozilla bugzilla/3.3.2
- version/mozilla bugzilla/3.0.7
- version/mozilla bugzilla/3.2.1