Skip to content

Jetty Uses Predictable Session Identifiers

Moderate severity GitHub Reviewed Published May 1, 2022 to the GitHub Advisory Database • Updated Feb 12, 2024

Package

maven org.eclipse.jetty:jetty-server (Maven)

Affected versions

< 4.2.27
>= 5.1.0, < 5.1.12
>= 6.0.0, < 6.0.2
>= 6.1.0pre1, < 6.1.0pre3

Patched versions

4.2.27
5.1.12
6.0.2
6.1.0pre3

Description

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

References

Published by the National Vulnerability Database Feb 7, 2007
Published to the GitHub Advisory Database May 1, 2022
Reviewed Feb 12, 2024
Last updated Feb 12, 2024

Severity

Moderate

Weaknesses

CVE ID

CVE-2006-6969

GHSA ID

GHSA-jg2x-r643-w2ch

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.