CVE-2006-6969

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

Published: Feb 7, 2007
Updated: Apr 13, 2023
CVE: CVE-2006-6969
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
jetty / jetty_http_server	4.2.11	4.2.11.x
jetty / jetty_http_server	6.1.0_pre2	6.1.0_pre2.x
jetty / jetty_http_server	4.2.12	4.2.12.x
jetty / jetty_http_server	5.1.11	5.1.11.x
jetty / jetty_http_server	4.2.18	4.2.18.x
jetty / jetty_http_server	6.0.1	6.0.1.x
jetty / jetty_http_server	4.2.19	4.2.19.x
jetty / jetty_http_server	4.2.16	4.2.16.x
jetty / jetty_http_server	4.2.15	4.2.15.x
jetty / jetty_http_server	4.2.9	4.2.9.x
jetty / jetty_http_server	4.2.14	4.2.14.x
jetty / jetty_http_server	4.2.17	4.2.17.x
jetty / jetty_http_server	4.2.24	4.2.24.x

Vulnerability Database

289,784

CVE-2006-6969