CVE-2009-0486

Published: Feb 9, 2009Modified: Apr 23, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.

Affected (3)

Products: Mozilla: Bugzilla

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Bugzilla	Version 3.0.7
Mozilla Bugzilla	Version 3.2.1
Mozilla Bugzilla	Version 3.3.2

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (10)

http://secunia.com/advisories/34361

Source: cve@mitre.org

http://www.bugzilla.org/security/3.0.7/

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/33581

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html

Source: cve@mitre.org

http://secunia.com/advisories/34361

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.bugzilla.org/security/3.0.7/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/33581

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.