CVEbaza.plCWE DictionaryCWE-6
Common Weakness Enumeration

CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length

Category: VariantCVE: 1
Description

The J2EE application is configured to use an insufficient session ID length.

Extended Description

If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

CVE vulnerabilities with CWE-6 (1)
8.8
CVSS
HIGH
CVE-2018-12538

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

pub. 2018-06-22
Information
ID: CWE-6
Type: Variant
Vulnerabilities: 1
MITRE CWE ↗
← CWE Dictionary