CWE-6 - J2EE Misconfiguration: Insufficient Session-ID Length
- Abstraction:Variant
- Structure:Simple
- Status:Incomplete
- Release Date:2006-07-19
- Latest Modification Date:2023-06-29
Weakness Name
J2EE Misconfiguration: Insufficient Session-ID Length
Description
The J2EE application is configured to use an insufficient session ID length.
If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.
Common Consequences
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: If an attacker can guess an authenticated user's session identifier, they can take over the user's session.
Related Weaknesses
Police shuts down KidFlix child sexual exploitation platform
The Reality Behind Security Control Failures—And How to Prevent Them
Counterfeit Android devices found preloaded With Triada malware
Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse
Helping Your Clients Achieve NIST Compliance: A Step by Step Guide for Service Providers
Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers
FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-146 Improper Neutralization of Expression/Command Delimiters
CWE-406 Insufficient Control of Network Message Volume (Network Amplification)
CWE-1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements