io.ratpack:ratpack-core@1.3.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the io.ratpack:ratpack-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Web Cache Poisoning

io.ratpack:ratpack-core is a simple, capable, toolkit for creating high performance web applications.

Affected versions of this package are vulnerable to Web Cache Poisoning. A user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key. Users are only vulnerable if they do not configure a custom PublicAddress instance.

How to fix Web Cache Poisoning?

Upgrade io.ratpack:ratpack-core to version 1.9.0 or higher.

[,1.9.0)
  • M
Cross-site Scripting (XSS)

io.ratpack:ratpack-core is a simple, capable, toolkit for creating high performance web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data.

Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.

How to fix Cross-site Scripting (XSS)?

Upgrade io.ratpack:ratpack-core to version 1.7.6 or higher.

[0.9.10,1.7.6)
  • H
HTTP Response Splitting

io.ratpack:ratpack-core is a simple, capable, toolkit for creating high performance web applications.

Affected versions of this package are vulnerable to HTTP Response Splitting. If untrusted and unsanitized data is used to populate the headers of an HTTP response, an attacker can utilize this vulnerability to have the server issue any HTTP response they specify. The root cause was due to using the netty DefaultHttpHeaders object with verification disabled.

If your application uses arbitrary user input as the value of a response header it is vulnerable. If your application does not use arbitrary values as response header values, it is not vulnerable.

How to fix HTTP Response Splitting?

Upgrade io.ratpack:ratpack-core to version 1.7.5 or higher.

(0.9.1,1.7.5)