CVE-2009-0486
Bugzilla 3.0.7, 3.2.1, 3.3.2 - Cross-Site Request Forgery via Insufficient Randomness in mod_perl
Title source: llmDescription
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.
References (5)
Core 5
Core References
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00664.html
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00687.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/33581
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34361
Vendor Advisory x_refsource_confirm
http://www.bugzilla.org/security/3.0.7/
Scores
EPSS
0.0057
EPSS Percentile
43.2%
Details
CWE
CWE-352
Status
published
Products (3)
mozilla/bugzilla
3.0.7
mozilla/bugzilla
3.2.1
mozilla/bugzilla
3.3.2
Published
Feb 09, 2009
Tracked Since
Feb 18, 2026