Vulnerability Description
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Bugzilla | 3.0.7 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/34361
- http://www.bugzilla.org/security/3.0.7/Vendor Advisory
- http://www.securityfocus.com/bid/33581
- https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html
- https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html
- http://secunia.com/advisories/34361
- http://www.bugzilla.org/security/3.0.7/Vendor Advisory
- http://www.securityfocus.com/bid/33581
- https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html
- https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html
FAQ
What is CVE-2009-0486?
CVE-2009-0486 is a vulnerability with a CVSS score of 7.5 (HIGH). Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers fo...
How severe is CVE-2009-0486?
CVE-2009-0486 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-0486?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Bugzilla.