Pseudo-Random Number Generator Flaw in Apache Cocoon by Apache
CVE-2025-24783

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Cocoon
Vendor: CVE Published:; 27 January 2025

Summary

A vulnerability exists in Apache Cocoon due to an incorrect implementation of the pseudo-random number generator (PRNG) used for generating continuation identifiers. The randomness was compromised by seeding the PRNG with the startup time, which may lead to insufficient unpredictability. Consequently, attackers could potentially guess continuation IDs, granting them unauthorized access to sensitive information. As Apache Cocoon is a retired project, no official fixes are available; therefore, users are advised to either adopt alternative solutions or restrict access strictly to trusted users. Enabling the 'session-bound-continuations' option can mitigate exposure by ensuring continuity identifiers are not shared across different user sessions.

Affected Version(s)

Apache Cocoon 0

References

https://lists.apache.org/thread/pk86jp5cvn41432op8wv1k8p1...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 27, 2025
Vulnerability Reserved
Jan 23, 2025

Credit

Xiangfan Wu from the StarMap Team of Legendsec at Qi-Anxin Group