VYPR

CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length

VariantIncomplete

Description

The J2EE application is configured to use an insufficient session ID length.

If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-21 · CAPEC-59

CVEs mapped to this weakness (1)

  • CVE-2018-12538HigJun 22, 2018
    risk 0.57cvss 8.8epss 0.03

    In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the…