Lucene search
K

85 matches found

Github Security Blog
Github Security Blog
added 2020/01/27 7:28 p.m.100 views

Default development error handler in Ratpack is vulnerable to HTML content injection (XSS)

Versions of Ratpack from 0.9.10 through 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' aka. XSS in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data. As a...

6.1CVSS1.4AI score0.00857EPSS
Exploits1References5Affected Software1
vulnersOsv
vulnersOsv
added 2020/01/27 7:28 p.m.6 views

com.bertramlabs.plugins:ratpack-asset-pipeline (>=2.2.7 <=4.3.0), com.bytekast.serverless-local-apigateway:com.bytekast.serverless-local-apigateway.gradle.plugin (>=0.4 <=0.5) +88 more potentially affected by CVE-2019-10770 via io.ratpack:ratpack-core (>=0.9.0 <=1.7.5)

io.ratpack:ratpack-core MAVEN version =0.9.0, =2.2.7, =0.4, =0.0.1, =0.0.1, =0.0.2, =1.0.0, =1.2, =1.2, =1.3, =1.1, =1.1, =1.5, =1.1, =1.8 and more Source cves: CVE-2019-10770 Source advisory: OSV:GHSA-R2WF-Q3X4-HRV9...

6.1CVSS6.3AI score0.00857EPSS
Exploits1
OSV
OSV
added 2020/01/27 7:28 p.m.12 views

GHSA-R2WF-Q3X4-HRV9 Default development error handler in Ratpack is vulnerable to HTML content injection (XSS)

Versions of Ratpack from 0.9.10 through 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' aka. XSS in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data. As a...

6.1CVSS6.2AI score0.00857EPSS
Exploits1References4
Snyk
Snyk
added 2019/11/19 12:2 p.m.2 views

Cross-site Scripting (XSS)

Overview io.ratpack:ratpack-core is a simple, capable, toolkit for creating high performance web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS. This affects the development mode error handler when an exception message contains untrusted data. Note the...

6.3CVSS5.3AI score0.00857EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2019/11/19 12:2 p.m.5 views

com.bertramlabs.plugins:ratpack-asset-pipeline (>=2.2.7 <=4.3.0), com.bytekast.serverless-local-apigateway:com.bytekast.serverless-local-apigateway.gradle.plugin (>=0.4 <=0.5) +88 more potentially affected by CVE-2019-10770 via io.ratpack:ratpack-core (>=0.9.10 <=1.7.5)

io.ratpack:ratpack-core MAVEN version =0.9.10, =2.2.7, =0.4, =0.0.1, =0.0.1, =0.0.2, =1.0.0, =1.2, =1.2, =1.3, =1.1, =1.1, =1.5, =1.1, =1.8 and more Source cves: CVE-2019-10770 Source advisory: SNYK:JAVA-IORATPACK-534882...

6.1CVSS6.3AI score0.00857EPSS
Exploits1
OSV
OSV
added 2019/10/21 4:8 p.m.3 views

GHSA-MVQP-Q37C-WF9J io.ratpack:ratpack-core vulnerable to Improper Neutralization of Special Elements in Output ('Injection')

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Response Splitting' Versions of Ratpack 0.9.1 through and including 1.7.4 are vulnerable to HTTP Response Splitting, if untrusted and unsanitized data is used to populate the headers of an HTTP response. An attacker can...

7.5CVSS6.9AI score0.02153EPSS
Exploits0References8
vulnersOsv
vulnersOsv
added 2019/10/21 4:8 p.m.6 views

com.bertramlabs.plugins:ratpack-asset-pipeline (>=2.2.7 <=4.3.0), com.bytekast.serverless-local-apigateway:com.bytekast.serverless-local-apigateway.gradle.plugin (>=0.4 <=0.5) +88 more potentially affected by CVE-2019-17513 via io.ratpack:ratpack-core (>=0.9.0 <=1.7.4)

io.ratpack:ratpack-core MAVEN version =0.9.0, =2.2.7, =0.4, =0.0.1, =0.0.1, =0.0.2, =1.0.0, =1.2, =1.2, =1.3, =1.1, =1.1, =1.5, =1.1, =1.8 and more Source cves: CVE-2019-17513 Source advisory: OSV:GHSA-MVQP-Q37C-WF9J...

7.5CVSS6.4AI score0.02153EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2019/10/21 4:8 p.m.36 views

io.ratpack:ratpack-core vulnerable to Improper Neutralization of Special Elements in Output ('Injection')

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Response Splitting' Versions of Ratpack 0.9.1 through and including 1.7.4 are vulnerable to HTTP Response Splitting, if untrusted and unsanitized data is used to populate the headers of an HTTP response. An attacker can...

7.5CVSS0.7AI score0.02153EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2019/10/21 7:28 a.m.18 views

HTTP Response Splitting

ratpack-core is vulnerable to HTTP response splitting. The vulnerability exists due to the lack of validation of response header values as the DefaultHttpHeaders object is created with verification disabled by default, allowing malicious user-supplied values to be part of response headers...

7.5CVSS1.7AI score0.02153EPSS
Exploits0References6Affected Software1
CNVD
CNVD
added 2019/10/21 12:0 a.m.2 views

Ratpack Input Validation Error Vulnerability

Ratpack is a Java library for building scalable HTTP applications. An input validation error vulnerability exists in Ratpack versions prior to 1.7.5, which can be exploited to conduct http response splitting attacks by constructing HTTP headers with untrusted data...

7.5CVSS6.8AI score0.02153EPSS
Exploits0References1
OSV
OSV
added 2019/10/18 3:15 a.m.12 views

CVE-2019-17513

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur...

7.5CVSS7AI score
Exploits0References5
NVD
NVD
added 2019/10/18 3:15 a.m.22 views

CVE-2019-17513

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur...

7.5CVSS7.4AI score0.02153EPSS
Exploits0References5
Prion
Prion
added 2019/10/18 3:15 a.m.19 views

Design/Logic Flaw

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur...

5CVSS6.8AI score0.02153EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2019/10/18 2:36 a.m.236 views

CVE-2019-17513

CVE-2019-17513 affects Ratpack before 1.7.5. The root cause is misuse of Netty’s DefaultHttpHeaders with validation disabled, allowing untrusted input used in HTTP headers to cause HTTP Response Splitting (CRLF injection). Upgrading Ratpack to 1.7.5 (or later) patches the issue by restoring heade...

7.5CVSS7.3AI score0.02153EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2019/10/18 2:36 a.m.27 views

CVE-2019-17513

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur...

7.4AI score0.02153EPSS
Exploits0References5
Snyk
Snyk
added 2019/10/17 9:26 a.m.1 views

HTTP Response Splitting

Overview io.ratpack:ratpack-core is a simple, capable, toolkit for creating high performance web applications. Affected versions of this package are vulnerable to HTTP Response Splitting. If untrusted and unsanitized data is used to populate the headers of an HTTP response, an attacker can utiliz...

7.5CVSS6.9AI score0.02153EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2019/10/17 9:26 a.m.5 views

com.bertramlabs.plugins:ratpack-asset-pipeline (>=2.2.7 <=4.3.0), com.bytekast.serverless-local-apigateway:com.bytekast.serverless-local-apigateway.gradle.plugin (>=0.4 <=0.5) +88 more potentially affected by CVE-2019-17513 via io.ratpack:ratpack-core (>=0.9.10 <=1.7.4)

io.ratpack:ratpack-core MAVEN version =0.9.10, =2.2.7, =0.4, =0.0.1, =0.0.1, =0.0.2, =1.0.0, =1.2, =1.2, =1.3, =1.1, =1.1, =1.5, =1.1, =1.8 and more Source cves: CVE-2019-17513 Source advisory: SNYK:JAVA-IORATPACK-473841...

7.5CVSS6.4AI score0.02153EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2019/05/14 4:1 a.m.34 views

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs...

4.3CVSS3.2AI score0.01315EPSS
Exploits0References5Affected Software3
vulnersOsv
vulnersOsv
added 2019/05/14 4:1 a.m.3 views

com.github.grooviter:gql-ratpack (=0.5.0), io.ratpack:ratpack-pac4j (>=0.9.3 <=1.10.0-milestone-39) +3 more potentially affected by CVE-2019-11808 via io.ratpack:ratpack-session (>=0.9.10 <=1.6.0)

io.ratpack:ratpack-session MAVEN version =0.9.10, =0.9.3, =1.0.0, =1.10.0-milestone-1, =1.4.6, =3.0.0 Source cves: CVE-2019-11808 Source advisory: OSV:GHSA-54MG-VGRP-MWX9...

4.3CVSS5.8AI score0.01315EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2019/05/14 4:1 a.m.4 views

com.bytekast.serverless-local-apigateway:com.bytekast.serverless-local-apigateway.gradle.plugin (>=0.4 <=0.5), gradle.plugin.com.bytekast:serverless-local-apigateway (>=0.4 <=0.5) +1 more potentially affected by CVE-2019-11808 via io.ratpack:ratpack-groovy (>=0.9.0 <=1.6.0)

io.ratpack:ratpack-groovy MAVEN version =0.9.0, =0.4, =0.4, =0.9.0, =1.10.0-milestone-39 Source cves: CVE-2019-11808 Source advisory: OSV:GHSA-54MG-VGRP-MWX9...

4.3CVSS5.8AI score0.01315EPSS
Exploits0
Rows per page
Query Builder