OrientDB Server Community Edition uses insufficiently random values to generate session IDs

2018-10-1817:41:27

Google

osv.dev

0.002 Low

EPSS

Percentile

61.2%

JSON

OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values in the server/network/protocol/http/OHttpSessionManager.java, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.

CPENameOperatorVersion
com.orientechnologies:orientdb-servereq2.0.1
com.orientechnologies:orientdb-servereq1.6.2
com.orientechnologies:orientdb-servereq2.0.4
com.orientechnologies:orientdb-servereq1.5.0
com.orientechnologies:orientdb-servereq1.4.0
com.orientechnologies:orientdb-servereq2.0.7
com.orientechnologies:orientdb-servereq2.0.9
com.orientechnologies:orientdb-servereq1.6.1
com.orientechnologies:orientdb-servereq2.1.0
com.orientechnologies:orientdb-servereq2.0-rc1

Name	Operator	Version
com.orientechnologies:orientdb-server	eq	2.0.1
com.orientechnologies:orientdb-server	eq	1.6.2
com.orientechnologies:orientdb-server	eq	2.0.4
com.orientechnologies:orientdb-server	eq	1.5.0
com.orientechnologies:orientdb-server	eq	1.4.0
com.orientechnologies:orientdb-server	eq	2.0.7
com.orientechnologies:orientdb-server	eq	2.0.9
com.orientechnologies:orientdb-server	eq	1.6.1
com.orientechnologies:orientdb-server	eq	2.1.0
com.orientechnologies:orientdb-server	eq	2.0-rc1