CVE-2009-0486

2009-02-0917:30:00

CWE-352

mitre

web.nvd.nist.gov

bugzilla

mod_perl

csrf

cve-2009-0486

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.7

Confidence

Low

EPSS

0.002

Percentile

59.6%

JSON

Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.

Affected configurations

Nvd

Node

mozillabugzillaMatch3.0.7

mozillabugzillaMatch3.2.1

mozillabugzillaMatch3.3.2

VendorProductVersionCPE
mozillabugzilla3.0.7cpe:2.3:a:mozilla:bugzilla:3.0.7:*:*:*:*:*:*:*
mozillabugzilla3.2.1cpe:2.3:a:mozilla:bugzilla:3.2.1:*:*:*:*:*:*:*
mozillabugzilla3.3.2cpe:2.3:a:mozilla:bugzilla:3.3.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	bugzilla	3.0.7	cpe:2.3:a:mozilla:bugzilla:3.0.7:::::::*
mozilla	bugzilla	3.2.1	cpe:2.3:a:mozilla:bugzilla:3.2.1:::::::*
mozilla	bugzilla	3.3.2	cpe:2.3:a:mozilla:bugzilla:3.3.2:::::::*