CVE-2006-6969

GHSA-jg2x-r643-w2ch, CVE-2006-6969

maven/org.eclipse.jetty/jetty-server

Jetty Uses Predictable Session Identifiers

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

All versions before 4.2.27, all versions starting from 5.1.0 before 5.1.12, all versions starting from 6.0.0 before 6.0.2, all versions starting from 6.1.0pre1 before 6.1.0pre3

Upgrade to versions 4.2.27, 5.1.12, 6.0.2, 6.1.0pre3 or above.

2024-02-13