Lucene search
K
Ratpack ProjectRatpack

6 matches found

CVE
CVE
added 2019/10/18 2:36 a.m.235 views

CVE-2019-17513

CVE-2019-17513 affects Ratpack before 1.7.5. The root cause is misuse of Netty’s DefaultHttpHeaders with validation disabled, allowing untrusted input used in HTTP headers to cause HTTP Response Splitting (CRLF injection). Upgrading Ratpack to 1.7.5 (or later) patches the issue by restoring heade...

7.5CVSS7.3AI score0.02153EPSS
CVE
CVE
added 2021/06/29 6:35 p.m.79 views

CVE-2021-29485

Ratpack vulnerability CVE-2021-29485 affects versions before 1.9.0 when using Ratpack's session storage. An attacker can achieve remote code execution by crafting a Java deserialization gadget chain in the session data, provided the application writes to the session store. If an application does ...

9.9CVSS8.8AI score0.01973EPSS
CVE
CVE
added 2021/06/29 6:20 p.m.78 views

CVE-2021-29481

CVE-2021-29481 affects Ratpack versions before 1.9.0, where the default client-side session configuration stores data in cookies in an unencrypted but signed form. This can allow an attacker with cookie access to read sensitive information if such data is stored in the session and the cookie is l...

7.5CVSS6.7AI score0.00455EPSS
CVE
CVE
added 2021/06/29 2:35 p.m.77 views

CVE-2021-29479

Summary: Ratpack before 1.9.0 is vulnerable to cache poisoning via the X-Forwarded-Host header. If the cache key does not include X-Forwarded-Host and a custom PublicAddress is not configured, Ratpack’s default inferring PublicAddress can be exploited to redirect cached responses to an attacker s...

7CVSS6.4AI score0.00857EPSS
CVE
CVE
added 2019/05/07 6:53 a.m.75 views

CVE-2019-11808

CVE-2019-11808 affects Ratpack versions before 1.6.1, where session IDs are generated using a cryptographically weak PRNG in the JDK’s ThreadLocalRandom. The consequence is that if an attacker can narrow the server-start window and observe a session ID, they could theoretically determine the sequ...

4.3CVSS4.4AI score0.01315EPSS
CVE
CVE
added 2021/06/29 6:15 p.m.68 views

CVE-2021-29480

CVE-2021-29480 affects Ratpack prior to 1.9.0, where the client-side session module uses the application startup time as the signing key by default. If an attacker can determine this time and encryption is not enabled, session data could be tampered with via cookie manipulation. As of Ratpack 1.9...

4.4CVSS4.1AI score0.00262EPSS