CVE-2021-29479
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Summary
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key. Users are only vulnerable if they do not configure a custom PublicAddress instance. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of PublicAddress which is vulnerable. This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. The vulnerability was patched in Ratpack 1.9.0. As a workaround, ensure that ServerConfigBuilder::publicAddress correctly configures the server in production.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ratpack | ratpack | < 1.9.0 | affected |
Weaknesses
- CWE-807: CWE-807: Reliance on Untrusted Inputs in a Security Decision
ADP Enrichment
CVE Program Container
Additional References
- https://portswigger.net/web-security/web-cache-poisoning
- https://github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7q
References
- https://portswigger.net/web-security/web-cache-poisoning
- https://github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7q
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.