GHSA-w6rq-6h34-vh7q

Source

https://github.com/advisories/GHSA-w6rq-6h34-vh7q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-w6rq-6h34-vh7q/GHSA-w6rq-6h34-vh7q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w6rq-6h34-vh7q

Aliases

CVE-2021-29479

Published

2021-07-01T17:02:38Z

Modified

2023-11-08T04:05:35.170526Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

Cached redirect poisoning via X-Forwarded-Host header

Details

A user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key.

Users are only vulnerable if they do not configure a custom PublicAddress instance. A custom PublicAddress can be specified by using ServerConfigBuilder::publicAddress. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of PublicAddress which is vulnerable.

Impact

This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location.

Patches

As of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability:

The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port
Relative redirects issued by the application are no longer absolutized; they are passed through as-is

Workarounds

In production, ensure that ServerConfigBuilder::publicAddress correctly configures the server.

References

https://portswigger.net/web-security/web-cache-poisoning

Database specific

{
    "nvd_published_at": "2021-06-29T15:15:00Z",
    "github_reviewed_at": "2021-06-30T17:50:31Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-807"
    ]
}

References

Affected packages

Maven / io.ratpack:ratpack-core

Package

Name: io.ratpack:ratpack-core; View open source insights on deps.dev
Purl: pkg:maven/io.ratpack/ratpack-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.0

Affected versions

0.*

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

1.*

1.0.0-rc-1

1.0.0-rc-2

1.0.0-rc-3

1.0.0

1.1.0

1.1.1

1.2.0-RC-1

1.2.0-rc-2

1.2.0

1.3.0-rc-1

1.3.0-rc-2

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0-rc-1

1.4.0-rc-2

1.4.0-rc-3

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0-rc-1

1.6.0-rc-2

1.6.0-rc-3

1.6.0-rc-4

1.6.0

1.6.1

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.8.0

1.8.1

1.8.2

1.9.0-rc-1

1.9.0-rc-2