CVE-2006-6969 : Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pr

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

Published 2007-02-07 11:28:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2006-6969

Jetty » Jetty Http Server » Version: 4.2.15
cpe:2.3:a:jetty:jetty_http_server:4.2.15:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.12
cpe:2.3:a:jetty:jetty_http_server:4.2.12:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.14
cpe:2.3:a:jetty:jetty_http_server:4.2.14:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.18
cpe:2.3:a:jetty:jetty_http_server:4.2.18:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.9
cpe:2.3:a:jetty:jetty_http_server:4.2.9:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.11
cpe:2.3:a:jetty:jetty_http_server:4.2.11:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.16
cpe:2.3:a:jetty:jetty_http_server:4.2.16:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.17
cpe:2.3:a:jetty:jetty_http_server:4.2.17:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.19
cpe:2.3:a:jetty:jetty_http_server:4.2.19:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 5.1.11
cpe:2.3:a:jetty:jetty_http_server:5.1.11:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 6.0.1
cpe:2.3:a:jetty:jetty_http_server:6.0.1:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 6.1.0 Pre2
cpe:2.3:a:jetty:jetty_http_server:6.1.0_pre2:*:*:*:*:*:*:*
Matching versions
Jetty » Jetty Http Server » Version: 4.2.24
cpe:2.3:a:jetty:jetty_http_server:4.2.24:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2006-6969

EPSS FAQ

0.59%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 68 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2006-6969

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

References for CVE-2006-6969

https://exchange.xforce.ibmcloud.com/vulnerabilities/32240

Jetty session identifiers session hijacking CVE-2006-6969 Vulnerability Report
http://osvdb.org/33108
http://secunia.com/advisories/24070

Vendor Advisory
http://www.securityfocus.com/archive/1/459164/100/0/threaded
http://fisheye.codehaus.org/changelog/jetty/?cs=1274
http://archives.neohapsis.com/archives/bugtraq/2007-02/0070.html
http://www.securityfocus.com/bid/22405

Vendor Advisory
http://www.vupen.com/english/advisories/2007/0497

Jump to

Vulnerability Details : CVE-2006-6969

Products affected by CVE-2006-6969

Exploit prediction scoring system (EPSS) score for CVE-2006-6969

CVSS scores for CVE-2006-6969

References for CVE-2006-6969