Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JAVA-IORATPACK-174598
- published 7 May 2019
- disclosed 7 May 2019
- credit Unknown
How to fix?
io.ratpack:ratpack-session to version 1.6.1 or higher.
io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications.
Affected versions of this package are vulnerable to Insecure Randomness. Session IDs are generated using a weak PRNG within the
ThreadLocalRandom class. An attacker could abuse this vulnerability to determine a small window for the server start time and obtain a session ID value. This vulnerability could be abused to theoretically determine the sequence of session IDs.