CVE-2025-24783

CWE-335 CWE-476 — NULL Pointer Dereference5 documents5 sources

Severity

7.5HIGH

EPSS

1.0%

top 22.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Cocoon

Timeline

PublishedJan 27

Description

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation is created, it gets a random identifier. Because the random number generator used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not have h…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.cocoon:cocoon-forms-impl2.3.0

▶Mavenorg.apache.cocoon:cocoon-sitemap-impl2.3.0

▶CVEListV5apache_software_foundation/apache_cocoon*

🔴Vulnerability Details

GHSA

Apache Cocoon vulnerable to Incorrect Usage of Seeds in Pseudo-Random Number Generator↗2025-01-27

▶

CVEList

Apache Cocoon: continuations may not be private↗2025-01-27

▶

OSV

Apache Cocoon vulnerable to Incorrect Usage of Seeds in Pseudo-Random Number Generator↗2025-01-27

▶

📋Vendor Advisories

Microsoft

Verify panics on certificates with an unknown public key algorithm in crypto/x509↗2024-03-12

▶