Vulnerability Description
Pentaho BI Server 1.7.0.1062 and earlier includes the session ID (JSESSIONID) in the URL, which allows attackers to obtain it from session history, referer headers, or sniffing of web traffic.
CVSS Score
5.0
MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pentaho | Bi Server | <= 1.7.0.1062 |
Related Weaknesses (CWE)
References
- http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/Exploit
- http://jira.pentaho.com/browse/BISERVER-3245Exploit
- http://www.securityfocus.com/archive/1/507168/100/0/threaded
- http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/Exploit
- http://jira.pentaho.com/browse/BISERVER-3245Exploit
- http://www.securityfocus.com/archive/1/507168/100/0/threaded
FAQ
What is CVE-2009-5101?
CVE-2009-5101 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Pentaho BI Server 1.7.0.1062 and earlier includes the session ID (JSESSIONID) in the URL, which allows attackers to obtain it from session history, referer headers, or sniffing of web traffic.
How severe is CVE-2009-5101?
CVE-2009-5101 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-5101?
Check the references section above for vendor advisories and patch information. Affected products include: Pentaho Bi Server.