CVE-2009-0486

Bugzilla 3.0.7, 3.2.1, 3.3.2 - Cross-Site Request Forgery via Insufficient Randomness in mod_perl

Title source: llm
STIX 2.1

Description

Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users.

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33581
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34361
Vendor Advisory x_refsource_confirm
http://www.bugzilla.org/security/3.0.7/

Scores

EPSS 0.0057
EPSS Percentile 43.2%

Details

CWE
CWE-352
Status published
Products (3)
mozilla/bugzilla 3.0.7
mozilla/bugzilla 3.2.1
mozilla/bugzilla 3.3.2
Published Feb 09, 2009
Tracked Since Feb 18, 2026