CVE-2019-11808: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

May 7, 2019 (updated May 8, 2019)

Ratpack generates a session ID using a cryptographically weak PRNG in the JDK’s ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

References

nvd.nist.gov/vuln/detail/CVE-2019-11808

Detect and mitigate CVE-2019-11808 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →