io.ratpack:ratpack-session@1.0.0-rc-3 vulnerabilities

  • latest version

    1.10.0-milestone-38

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    1 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the io.ratpack:ratpack-session package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insecure Randomness

    io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications.

    Affected versions of this package are vulnerable to Insecure Randomness. The client-side session module by default uses the application startup time as the signing key. If an attacker can determine this time, and if encryption is not used (which is recommended but not implemented by default), the session data could be tampered with by someone with the ability to write cookies.

    How to fix Insecure Randomness?

    Upgrade io.ratpack:ratpack-session to version 1.9.0 or higher.

    [,1.9.0)
    • M
    Insecure Defaults

    io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications.

    Affected versions of this package are vulnerable to Insecure Defaults. The default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies.

    How to fix Insecure Defaults?

    Upgrade io.ratpack:ratpack-session to version 1.9.0 or higher.

    [,1.9.0)
    • H
    Deserialization of Untrusted Data

    io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications.

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious attacker can achieve Remote Code Execution (RCE) via a maliciously crafted Java deserialization gadget chain leveraged against the Ratpack session store.

    How to fix Deserialization of Untrusted Data?

    Upgrade io.ratpack:ratpack-session to version 1.9.0 or higher.

    [,1.9.0)
    • M
    Insecure Randomness

    io.ratpack:ratpack-session is a that allows supports for HTTP sessions within Ratpack applications.

    Affected versions of this package are vulnerable to Insecure Randomness. Session IDs are generated using a weak PRNG within the ThreadLocalRandom class. An attacker could abuse this vulnerability to determine a small window for the server start time and obtain a session ID value. This vulnerability could be abused to theoretically determine the sequence of session IDs.

    How to fix Insecure Randomness?

    Upgrade io.ratpack:ratpack-session to version 1.6.1 or higher.

    [,1.6.1)