JVN#20689557
Predictable session ID vulnerability in Serene Bach
Overview
Serene Bach from SerendipityNZ Limited contains a vulnerability in which it generates predictable session ID's.
Products Affected
- Serene Bach 2.20R and earlier
- Serene Bach 3.00 beta023 and earlier
Description
Serene Bach from SerendipityNZ Limited is a weblog management system. Serene Bach contains a vulnerability in which it generates predictable session ID's.
Impact
A remote attacker could impersonate an administrator of Serene Bach. As a result, an attacker could obtain or alter information stored in Serene Bach.
Solution
Update the Software
Update to the latest version according to the information provided by the vendor.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2009.06.08
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | None - the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | Medium-High - expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2009-2165 |
| JVN iPedia |
JVNDB-2009-000035 |