Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-6 (J2EE误配置:会话ID长度不充分) — Vulnerability Class 1

1 vulnerabilities classified as CWE-6 (J2EE误配置:会话ID长度不充分). AI Chinese analysis included.

CWE-6 represents a J2EE misconfiguration weakness where applications generate session identifiers with insufficient entropy or length. This vulnerability primarily facilitates session hijacking, allowing attackers to predict, guess, or steal session tokens to impersonate legitimate users and gain unauthorized access to sensitive data or functionalities. By utilizing short or predictable session IDs, the attack surface expands significantly, making brute-force or statistical prediction attacks feasible. To mitigate this risk, developers must configure their J2EE containers to enforce robust session ID generation standards. This involves ensuring session identifiers are sufficiently long, typically utilizing cryptographically secure random number generators to maximize the search space. Proper configuration prevents attackers from successfully guessing tokens, thereby maintaining session integrity and protecting user authentication states from compromise.

MITRE CWE Description
The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
If an attacker can guess an authenticated user's session identifier, they can take over the user's session.
Mitigations (2)
ImplementationSession identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.
ImplementationA lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a la…
Examples (1)
The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.
<sun-web-app> ... <session-config> <session-properties> <property name="idLengthBytes" value="8"> <description>The number of bytes in this web module's session ID.</description> </property> </session-properties> </session-config> ... </sun-web-app>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2018-12538 Eclipse Jetty 授权问题漏洞 — Eclipse Jetty 8.3 -2018-06-22

Vulnerabilities classified as CWE-6 (J2EE误配置:会话ID长度不充分) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.