Predictable Initialization of SecureRandom.random_bytes in Ruby

Predictable Initialization of SecureRandom.random_bytes in Ruby

CVE-2011-2705 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

Learn more about our Web Application Penetration Testing UK.