CVE-2019-11808: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

May 14, 2019 (updated August 4, 2021)

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK’s ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

References

github.com/advisories/GHSA-54mg-vgrp-mwx9
github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d
github.com/ratpack/ratpack/issues/1448
github.com/ratpack/ratpack/releases/tag/v1.6.1
nvd.nist.gov/vuln/detail/CVE-2019-11808

Code Behaviors & Features

Detect and mitigate CVE-2019-11808 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →