Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.
{
"cpe": "cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"71367211667805614474262679484365507025",
"154913202557657715797989884372491816929",
"203145417490335592114016916057217824295",
"77552764402514804693061393479611006934"
]
},
"target": {
"file": "ratpack-session/src/main/java/ratpack/session/SessionModule.java"
},
"id": "CVE-2019-11808-078847f3",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"223769642921180714213624975815823092972",
"270234634705521122023414332419619368198",
"192011128202987122063634888260665579081",
"117400372187328187914271744312200082874",
"99069651121528590450252327565252769957",
"305049644449210423698307830915945668901",
"196581739354092496730175082181381076825",
"244116176367642181748269931645136646689",
"300381473656706452809181982359708873149"
]
},
"target": {
"file": "ratpack-session/src/main/java/ratpack/session/internal/DefaultSessionIdGenerator.java"
},
"id": "CVE-2019-11808-0fc3d6e1",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d",
"deprecated": false
},
{
"digest": {
"function_hash": "207315375411098578483848171294891764207",
"length": 174.0
},
"target": {
"function": "generateSessionId",
"file": "ratpack-session/src/main/java/ratpack/session/internal/DefaultSessionIdGenerator.java"
},
"id": "CVE-2019-11808-4ea60d16",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d",
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11808.json"
"2026-07-08T15:55:06Z"