CVE-2006-6969 — Jetty Uses Predictable Session Identifiers

Description

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

How to fix CVE-2006-6969

To remediate CVE-2006-6969, upgrade the affected package to a fixed version below.

Maven/org.eclipse.jetty:jetty-server—upgrade to 4.2.27 or later

Is CVE-2006-6969 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.2.27

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-6969
PATCHgithub.com/jetty-project/codehaus-jetty6
WEBexchange.xforce.ibmcloud.com/vulnerabilities/32240
WEBgithub.com/jetty-project/codehaus-jetty6/commit/36f81d2e7058b012f6718bc2f1e2786694a8a4a1