CVE-2009-0486

Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.bugzilla.org/security/3.0.7/	Vendor Advisory
http://www.securityfocus.com/bid/33581
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html
http://secunia.com/advisories/34361

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:bugzilla:3.2.1:::::::*
	cpe:2.3:a:mozilla:bugzilla:3.3.2:::::::*
	cpe:2.3:a:mozilla:bugzilla:3.0.7:::::::*

Information

Published : 2009-02-09 09:30

Updated : 2009-03-24 22:50

NVD link : CVE-2009-0486

Mitre link : CVE-2009-0486

JSON object : View

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

Advertisement

Products Affected

mozilla

bugzilla

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.bugzilla.org/security/3.0.7/", "name": "http://www.bugzilla.org/security/3.0.7/", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/33581", "name": "33581", "tags": [], "refsource": "BID"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html", "name": "FEDORA-2009-2417", "tags": [], "refsource": "FEDORA"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html", "name": "FEDORA-2009-2418", "tags": [], "refsource": "FEDORA"}, {"url": "http://secunia.com/advisories/34361", "name": "34361", "tags": [], "refsource": "SECUNIA"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-0486", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2009-02-09T17:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:3.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:3.3.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:mozilla:bugzilla:3.0.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2009-03-25T05:50Z"}