Home

CVE-2019-11808

Description

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDKs ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Risk Information

Base Score
3.7
MODERATE
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.292

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-11808 are fixed in Ratpack-ratpack-session 1.6.1Windows
Vulnerabilities CVE-2019-11808 are fixed in Ratpack-ratpack-java 1.6.1Windows
Vulnerabilities CVE-2019-11808 are fixed in Ratpack - ratpack-groovy 1.6.1Windows
Vulnerabilities CVE-2019-11808 are fixed in Ratpack-ratpack-session for Linux 1.6.1Linux
Vulnerabilities CVE-2019-11808 are fixed in Ratpack-ratpack-java for Linux 1.6.1Linux
Vulnerabilities CVE-2019-11808 are fixed in Ratpack - ratpack-groovy for Linux 1.6.1Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234