1.10.0-milestone-38
10 years ago
1 months ago
Known vulnerabilities in the io.ratpack:ratpack-session package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications. Affected versions of this package are vulnerable to Insecure Randomness. The client-side session module by default uses the application startup time as the signing key. If an attacker can determine this time, and if encryption is not used (which is recommended but not implemented by default), the session data could be tampered with by someone with the ability to write cookies. How to fix Insecure Randomness? Upgrade | [,1.9.0) |
io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications. Affected versions of this package are vulnerable to Insecure Defaults. The default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. How to fix Insecure Defaults? Upgrade | [,1.9.0) |
io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious attacker can achieve Remote Code Execution (RCE) via a maliciously crafted Java deserialization gadget chain leveraged against the Ratpack session store. How to fix Deserialization of Untrusted Data? Upgrade | [,1.9.0) |
io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications. Affected versions of this package are vulnerable to Insecure Randomness. Session IDs are generated using a weak PRNG within the How to fix Insecure Randomness? Upgrade | [,1.6.1) |