Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Jetty_http_server | Jetty | 4.2.9 (including) | 4.2.9 (including) |
Jetty_http_server | Jetty | 4.2.11 (including) | 4.2.11 (including) |
Jetty_http_server | Jetty | 4.2.12 (including) | 4.2.12 (including) |
Jetty_http_server | Jetty | 4.2.14 (including) | 4.2.14 (including) |
Jetty_http_server | Jetty | 4.2.15 (including) | 4.2.15 (including) |
Jetty_http_server | Jetty | 4.2.16 (including) | 4.2.16 (including) |
Jetty_http_server | Jetty | 4.2.17 (including) | 4.2.17 (including) |
Jetty_http_server | Jetty | 4.2.18 (including) | 4.2.18 (including) |
Jetty_http_server | Jetty | 4.2.19 (including) | 4.2.19 (including) |
Jetty_http_server | Jetty | 4.2.24 (including) | 4.2.24 (including) |
Jetty_http_server | Jetty | 5.1.11 (including) | 5.1.11 (including) |
Jetty_http_server | Jetty | 6.0.1 (including) | 6.0.1 (including) |
Jetty_http_server | Jetty | 6.1.0_pre2 (including) | 6.1.0_pre2 (including) |