| Vulnerability Name: | CVE-2009-0486 (CCN-48454) | ||||||||
| Assigned: | 2009-02-02 | ||||||||
| Published: | 2009-02-02 | ||||||||
| Updated: | 2009-03-25 | ||||||||
| Summary: | Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P) 5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-352 | ||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||
| References: | Source: MITRE Type: CNA CVE-2009-0486 Source: CCN Type: SA33781 Bugzilla Multiple Vulnerabilities Source: SECUNIA Type: UNKNOWN 34361 Source: CCN Type: Bugzilla Web site 3.2.1, 3.0.7, and 3.3.2 Security Advisory Source: CONFIRM Type: Vendor Advisory http://www.bugzilla.org/security/3.0.7/ Source: CCN Type: GLSA-201006-19 Bugzilla: Multiple vulnerabilities Source: CCN Type: OSVDB ID: 54057 Bugzilla with mod_perl Startup Token Entropy Weakness Source: CCN Type: BID-33580 Bugzilla HTML Injection and Cross Site Request Forgery Vulnerabilities Source: BID Type: UNKNOWN 33581 Source: CCN Type: BID-33581 Bugzilla Pseudo-Random Number Generator Shared Seed Vulnerability Source: XF Type: UNKNOWN bugzilla-srand-information-disclosure(48454) Source: FEDORA Type: UNKNOWN FEDORA-2009-2418 Source: FEDORA Type: UNKNOWN FEDORA-2009-2417 | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||