CVE-2019-11808

Опубликовано: 07 мая 2019

Источник: nvd

CVSS3: 3.7

CVSS2: 4.3

EPSS Низкий

Описание

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Ссылки

https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d
Patch
Third Party Advisory
https://github.com/ratpack/ratpack/issues/1448
Patch
Third Party Advisory
https://github.com/ratpack/ratpack/releases/tag/v1.6.1
Release Notes
Third Party Advisory
https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d
Patch
Third Party Advisory
https://github.com/ratpack/ratpack/issues/1448
Patch
Third Party Advisory
https://github.com/ratpack/ratpack/releases/tag/v1.6.1
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*

Версия до 1.6.1 (исключая)

EPSS

Процентиль: 53%

0.00297

Низкий

3.7 Low

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-338

Связанные уязвимости

GHSA-54mg-vgrp-mwx9