Vulnerabilities > CVE-2019-11808 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Ratpack Project Ratpack
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d
- https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d
- https://github.com/ratpack/ratpack/issues/1448
- https://github.com/ratpack/ratpack/issues/1448
- https://github.com/ratpack/ratpack/releases/tag/v1.6.1
- https://github.com/ratpack/ratpack/releases/tag/v1.6.1