CVE-2025-24783: Apache Cocoon vulnerable to Incorrect Usage of Seeds in Pseudo-Random Number Generator
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.38045%
CWE
Published
1/27/2025
Updated
1/27/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.cocoon:cocoon-forms-impl | maven | <= 2.3.0 | |
| org.apache.cocoon:cocoon-sitemap-impl | maven | <= 2.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
Both functions improperly initialize SecureRandom with the system's startup time (System.currentTimeMillis()) rather than using proper entropy sources. This violates CWE-335 as predictable seeds lead to predictable outputs. The CaptchaField's static initializer affects CAPTCHA generation security, while ContinuationsManagerImpl's constructor impacts continuation ID randomness. The evidence from code links shows direct seeding with timestamp, and the vulnerability description explicitly calls out this pattern as the root cause for predictable continuation IDs.