CVE-2025-24783 |
Description: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon.
This issue affects Apache Cocoon: all versions.
When a continuation is created, it gets a random identifier. Because the random number generator used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have had access to.
As a mitigation, you may enable the "session-bound-continuations" option to make sure continuations are not shared across sessions.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-24783
https://lists.apache.org/thread/pk86jp5cvn41432op8wv1k8p14mp27nz
https://github.com/apache/cocoon/blob/32a4e41183ba74351d85060011151b2d58acfc52/blocks/cocoon-forms/cocoon-forms-impl/src/main/java/org/apache/cocoon/forms/formmodel/CaptchaField.java#L70
https://github.com/apache/cocoon/blob/32a4e41183ba74351d85060011151b2d58acfc52/core/cocoon-sitemap/cocoon-sitemap-impl/src/main/java/org/apache/cocoon/components/flow/ContinuationsManagerImpl.java#L112
https://github.com/advisories/GHSA-pff9-53m5-qr56
EPSS Score: 0.04%
January 27th, 2025 (5 months ago)
|
![]() |
Description: A Threat Actor Claims to be Selling Multiple Traders Leads Data
January 27th, 2025 (5 months ago)
|
![]() |
Description: Microsoft reminded Microsoft 365 admins that its new brand impersonation protection feature for Teams Chat will be available for all customers by mid-February 2025. [...]
January 27th, 2025 (5 months ago)
|
![]() |
January 27th, 2025 (5 months ago)
|
![]() |
Description: A Threat Actor Claims to have Leaked Sensitive Information of Pirelli Tire LLC
January 27th, 2025 (5 months ago)
|
![]() |
Description: A set of three distinct but related attacks, dubbed 'Clone2Leak,' can leak credentials by exploiting how Git and its credential helpers handle authentication requests. [...]
January 27th, 2025 (5 months ago)
|
![]() |
Description: /// Why a relatively unknown Chinese-developed AI model has turned the AI industry on its head.
January 27th, 2025 (5 months ago)
|
![]() |
Description: IntelBroker, EnergyWeaponUser, and Alex218 Claim to have Leaked the Data of Asia Recruit Malaysia
January 27th, 2025 (5 months ago)
|
![]() |
Description: Counter Claims to have Leaked the Data of Pt. Deen Dayal Upadhyay Management College (DDUMC)
January 27th, 2025 (5 months ago)
|
![]() |
Description: A Threat Actor Claims to have Leaked the Data of Atlas Pakistan (Pvt.) Ltd
January 27th, 2025 (5 months ago)
|