2 matches found
Ratpack's default client side session signing key is highly predictable
Impact The client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used which is recommended, but is not on by default, the session data could be tampered with by someone with...
PT-2021-18242 · Ratpack · Ratpack
Name of the Vulnerable Software and Affected Versions: Ratpack versions prior to 1.9.0 Description: The client side session module in Ratpack uses the application startup time as the signing key by default. If an attacker can determine this time and encryption is not used, the session data could ...