GHSA-54mg-vgrp-mwx9

Suggest an improvement
Source
https://github.com/advisories/GHSA-54mg-vgrp-mwx9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-54mg-vgrp-mwx9/GHSA-54mg-vgrp-mwx9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-54mg-vgrp-mwx9
Aliases
Published
2019-05-14T04:01:37Z
Modified
2023-11-01T04:50:17.028587Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack
Details

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Database specific
{
    "nvd_published_at": "2019-05-07T07:29:00Z",
    "github_reviewed_at": "2019-05-14T03:48:09Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-338"
    ]
}
References

Affected packages

Maven / io.ratpack:ratpack-session

Package

Name
io.ratpack:ratpack-session
View open source insights on deps.dev
Purl
pkg:maven/io.ratpack/ratpack-session

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.1

Affected versions

0.*

0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19

1.*

1.0.0-rc-1
1.0.0-rc-2
1.0.0-rc-3
1.0.0
1.1.0
1.1.1
1.2.0-RC-1
1.2.0-rc-2
1.2.0
1.3.0-rc-1
1.3.0-rc-2
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0-rc-1
1.4.0-rc-2
1.4.0-rc-3
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0-rc-1
1.6.0-rc-2
1.6.0-rc-3
1.6.0-rc-4
1.6.0

Maven / io.ratpack:ratpack-java

Package

Name
io.ratpack:ratpack-java
View open source insights on deps.dev
Purl
pkg:maven/io.ratpack/ratpack-java

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.1

Maven / io.ratpack:ratpack-groovy

Package

Name
io.ratpack:ratpack-groovy
View open source insights on deps.dev
Purl
pkg:maven/io.ratpack/ratpack-groovy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.1

Affected versions

0.*

0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19

1.*

1.0.0-rc-1
1.0.0-rc-2
1.0.0-rc-3
1.0.0
1.1.0
1.1.1
1.2.0-RC-1
1.2.0-rc-2
1.2.0
1.3.0-rc-1
1.3.0-rc-2
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0-rc-1
1.4.0-rc-2
1.4.0-rc-3
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0-rc-1
1.6.0-rc-2
1.6.0-rc-3
1.6.0-rc-4
1.6.0