CVE-2025-24783
Published: 27 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24783 is an Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability (CWE-335) affecting all versions of Apache Cocoon. The issue arises when continuations are created and assigned random identifiers using a PRNG seeded solely with the application's startup time, rendering the identifiers insufficiently unpredictable.
Remote attackers with no privileges required can exploit this over the network with low complexity and no user interaction (CVSSv3.1 score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By guessing the predictable continuation IDs, they can access continuations that should be restricted, leading to unauthorized data disclosure.
Apache advisories note that as Cocoon is a retired project, no patched version will be released. Mitigation involves enabling the "session-bound-continuations" option to prevent sharing across sessions, alongside recommendations to migrate to alternatives or restrict instance access to trusted users only. This vulnerability exclusively impacts unsupported products.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote unauthenticated attackers to exploit a public-facing Apache Cocoon web application by predicting continuation IDs due to weak PRNG seeding, directly enabling unauthorized data disclosure.