Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| io.ratpack:ratpack-session(Maven) | 0 | 1.6.1 | N/A |
| io.ratpack:ratpack-java(Maven) | 0 | 1.6.1 | N/A |
| io.ratpack:ratpack-groovy(Maven) | 0 | 1.6.1 | N/A |
CVSS Metrics
