fkie_nvd - fkie_cve-2009-3585

fkie_cve-2009-3585

Vulnerability from fkie_nvd

Published

2009-12-02 16:30

Modified

2025-04-09 00:30

Severity ?

Summary

Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain.

References

URL	Tags
cve@mitre.org	http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch
cve@mitre.org	http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch
cve@mitre.org	http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch
cve@mitre.org	http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch
cve@mitre.org	http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch
cve@mitre.org	http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch
cve@mitre.org	http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html
cve@mitre.org	http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html	Patch
cve@mitre.org	http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html	Patch
cve@mitre.org	http://secunia.com/advisories/37546	Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/37728	Vendor Advisory
cve@mitre.org	http://www.securityfocus.com/bid/37162
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/54472
cve@mitre.org	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.html
cve@mitre.org	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.html
cve@mitre.org	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html
af854a3a-2127-422b-91ae-364da2661108	http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch
af854a3a-2127-422b-91ae-364da2661108	http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch
af854a3a-2127-422b-91ae-364da2661108	http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch
af854a3a-2127-422b-91ae-364da2661108	http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch
af854a3a-2127-422b-91ae-364da2661108	http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch
af854a3a-2127-422b-91ae-364da2661108	http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch
af854a3a-2127-422b-91ae-364da2661108	http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/37546	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/37728	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/37162
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/54472
af854a3a-2127-422b-91ae-364da2661108	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.html
af854a3a-2127-422b-91ae-364da2661108	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.html
af854a3a-2127-422b-91ae-364da2661108	https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html

Impacted products

Vendor	Product	Version
bestpractical	rt	3.0.1
bestpractical	rt	3.0.2
bestpractical	rt	3.0.3
bestpractical	rt	3.0.4
bestpractical	rt	3.0.5
bestpractical	rt	3.0.6
bestpractical	rt	3.0.7
bestpractical	rt	3.0.7.1
bestpractical	rt	3.0.8
bestpractical	rt	3.0.9
bestpractical	rt	3.0.10
bestpractical	rt	3.0.11
bestpractical	rt	3.0.12
bestpractical	rt	3.2.0
bestpractical	rt	3.2.1
bestpractical	rt	3.2.2
bestpractical	rt	3.2.3
bestpractical	rt	3.4.0
bestpractical	rt	3.4.1
bestpractical	rt	3.4.2
bestpractical	rt	3.4.3
bestpractical	rt	3.4.4
bestpractical	rt	3.4.5
bestpractical	rt	3.4.6
bestpractical	rt	3.6.0
bestpractical	rt	3.6.1
bestpractical	rt	3.6.2
bestpractical	rt	3.6.3
bestpractical	rt	3.6.4
bestpractical	rt	3.6.5
bestpractical	rt	3.6.6
bestpractical	rt	3.6.7
bestpractical	rt	3.6.8
bestpractical	rt	3.6.9
bestpractical	rt	3.8.0
bestpractical	rt	3.8.1
bestpractical	rt	3.8.2
bestpractical	rt	3.8.3
bestpractical	rt	3.8.4
bestpractical	rt	3.8.5

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA418CF5-49D6-4E0E-A1B5-8CB23752989D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E238F87-8D8C-4E62-A8F0-3DB9EFDB8328",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FD8A7EF-5DB8-40C6-9124-A97A23B3EA02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "2AD553B8-8495-47E5-A543-4DC963B3511A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "28ADB191-4787-4FDB-B70A-F4C8BDF0F4B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2772389A-9BCD-4B13-88C8-75BC64E40AF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1F9D05F-C86D-40D8-A7D9-5448918B72DD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "311485DA-5381-4EAD-AF58-B8C67373413A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "2EAF6671-8C77-448B-BF29-E2CF51176CC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B55D762D-A723-435C-8D80-F7230F1648D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CC63EDC-541E-445D-8B72-799E4184B7EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5E6196E-4A90-4F64-BA99-A8E04A09D5ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "91D7CE86-3FCD-472E-BF01-31FFB36701BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "70B3F0B2-8C70-4046-AAA0-FBD344FE4DBD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCD0173D-F699-4864-8856-D1792BDA0F84",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "19CC2E53-5DE8-4A31-9B8A-79335DFBAFEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "404AFC5C-20B4-41E5-ACDE-56626D68AFEA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F37D1380-965B-40E0-8A20-61FEA072B8D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E101B0FE-499F-44D8-8B68-BB7FEE40D2B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "747D8CD1-EE12-48A4-A795-88BC66A8DA33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FDE201D-F31A-4738-B9AB-7BB11417990E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D6ED4EC-F860-47BD-B699-551FB5DBF039",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.4.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3398823-1813-4D7B-9EC9-74222A240051",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.4.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F98B7895-BDB3-477C-8B34-88BD3E02EAFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1512169D-DCEF-4964-B05A-3DF19CDE8F57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B427F5D4-ACD6-46E5-B94F-CA30330C6492",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9B38C33-D680-4285-A849-E6CDA9F4802F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "646CFD82-15FE-48E4-83C9-E3E037E9F928",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "57404A14-6E1C-4F3B-8120-75F1073A3E18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "3F40ED56-CDAC-40BB-A026-5D6A09DCB72C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "33C325D9-CB88-430F-B1AE-3544C7176398",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1E86D15-8435-46B9-88FF-8A51771C55E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "543C8E63-9A49-4D6A-899A-7D244D0CCC17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.6.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "00AFB893-E37A-4E81-A984-66D677161D80",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C503726A-4AAB-4444-A204-7F53A6369919",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2B93F59-E22F-47E0-A5EA-D5716E9EAB48",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0BF01543-2929-4ADA-BD74-ABE00BF066BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.8.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "562E9782-259B-42C6-BC3E-C452799A78FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4D2E2C8-15E8-45E4-9DBF-6CF2BEB30576",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bestpractical:rt:3.8.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E4D117A-92C0-4884-A3E6-F6FCC8B89458",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de permanencia de sesi\u00f3n en html/Elements/SetupSessionCookie en Best Practical Solutions RT desde v3.0.0 hasta v3.6.9 y desde v3.8.x hasta v3.8.5 permite a atacantes remotos secuestrar sesiones web fijando el identificador de sesi\u00f3n a trav\u00e9s de una manipulaci\u00f3n que aprovecha un segundo servidor web dentro del mismo dominio."
    }
  ],
  "id": "CVE-2009-3585",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2009-12-02T16:30:00.437",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/37546"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/37728"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/37162"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54472"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/37546"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/37728"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/37162"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54472"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00761.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00794.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00832.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2009-3585 (GCVE-0-2009-3585)

Vulnerability from cvelistv5

Published

2009-12-02 16:00

Modified

2024-08-07 06:31