HP Systems Insight Manager JSessionID Session Fixation Vulnerability

Bugtraq ID:	23988
Class:	Design Error
CVE:	CVE-2007-2719
Remote:	Yes
Local:	No
Published:	May 15 2007 12:00AM
Updated:	May 07 2015 05:39PM
Credit:	Luka Treiber and Aljosa Ocepek of ACROS Security is credited with the discovery of this vulnerability.
Vulnerable:	HP Systems Insight Manager 5.0 SP6 HP Systems Insight Manager 5.0 SP5 HP Systems Insight Manager 4.2
Not Vulnerable:	HP Systems Insight Manager 5.1 SP1

HP Systems Insight Manager JSessionID Session Fixation Vulnerability

HP Systems Insight Manager is prone to a session-fixation vulnerability. This issue stems from a design error in the application.

An attacker can exploit this issue to gain administrative access on the affected computer. Successfully exploiting this issue will result in the complete compromise of affected computers.

HP Systems Insight Manager JSessionID Session Fixation Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

HP Systems Insight Manager JSessionID Session Fixation Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.

HP Systems Insight Manager JSessionID Session Fixation Vulnerability

References:

• Systems Insight Manager Homepage (HP)
  
• ACROS Security: Session Fixation Vulnerability in HP SIM 5.0 (ACROS Security)
  
• ACROS Security Problem Report #2007-05-14-1 (ACROS Security)
  
• HPSBMA02213 SSRT061214 rev.1 - HP Systems Insight Manager (SIM) for Windows, Rem (HP)