Apache Cocoon PRNG Vulnerability Leading to Continuation ID Guessing

A vulnerability exists in all versions of Apache Cocoon due to incorrect seeding of the pseudo-random number generator (PRNG) used to create random identifiers for continuations. The PRNG was seeded with the startup time, which may not have provided sufficient randomness. This lack of unpredictability could allow an attacker to guess continuation IDs and access continuations that should have been private. As a mitigation, users can enable the 'session-bound-continuations' option to prevent continuations from being shared across sessions. However, since Apache Cocoon is a retired project, no official fix will be released. Users are advised to seek alternatives or limit access to trusted individuals.

Impact

Exploitation of this vulnerability could lead to unauthorized access to continuation IDs, allowing attackers to access continuations they should not have.