Published:2009/06/08  Last Updated:2009/06/10

Predictable session ID vulnerability in Serene Bach


Serene Bach from SerendipityNZ Limited contains a vulnerability in which it generates predictable session ID's.

Products Affected

  • Serene Bach 2.20R and earlier
  • Serene Bach 3.00 beta023 and earlier


Serene Bach from SerendipityNZ Limited is a weblog management system. Serene Bach contains a vulnerability in which it generates predictable session ID's.


A remote attacker could impersonate an administrator of Serene Bach. As a result, an attacker could obtain or alter information stored in Serene Bach.


Update the Software
Update to the latest version according to the information provided by the vendor.

Vendor Status

Vendor Status Last Update Vendor Notes
SerendipityNZ Limited Vulnerable 2009/06/08


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.06.08

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Medium-High - expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise)
  • Medium

Description of each analysis measures


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2009-2165
JVN iPedia JVNDB-2009-000035

Update History