CVE-2019-11808

{"id": "CVE-2019-11808", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2019-05-07T07:29:05.167", "references": [{"url": "https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/ratpack/ratpack/issues/1448", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/ratpack/ratpack/releases/tag/v1.6.1", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs."}, {"lang": "es", "value": "Las versiones de Ratpack anteriores a la 1.6.1 generan un ID de sesi\u00f3n utilizando un PRNG criptogr\u00e1ficamente d\u00e9bil en ThreadLocalRandom del JDK. Esto significa que si un atacante puede determinar una peque\u00f1a ventana para la hora de inicio del servidor y obtener un valor de ID de sesi\u00f3n, te\u00f3ricamente puede determinar la secuencia de ID de sesi\u00f3n."}], "lastModified": "2019-05-08T16:14:44.343", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FB3DD33-AEA0-48E6-9600-2B857CB25D61", "versionEndExcluding": "1.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}