cvelistv5 - CVE-2021-29480

CVE-2021-29480 (GCVE-0-2021-29480)

Vulnerability from cvelistv5 – Published: 2021-06-29 18:15 – Updated: 2024-08-03 22:11

Summary

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation's recommendation.

Severity ?

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-340 - Generation of Predictable Numbers or Identifiers

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ratpack/ratpack/security/advis…	x_refsource_CONFIRM
	https://github.com/ratpack/ratpack/blob/29434f7ac…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ratpack	ratpack	Affected: < 1.9.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:11:05.265Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ratpack",
          "vendor": "ratpack",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-340",
              "description": "CWE-340: Generation of Predictable Numbers or Identifiers",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-29T18:15:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
        }
      ],
      "source": {
        "advisory": "GHSA-2cc5-23r7-vc4v",
        "discovery": "UNKNOWN"
      },
      "title": "Default client side session signing key is highly predictable",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29480",
          "STATE": "PUBLIC",
          "TITLE": "Default client side session signing key is highly predictable"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ratpack",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.9.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ratpack"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-340: Generation of Predictable Numbers or Identifiers"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v",
              "refsource": "CONFIRM",
              "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
            },
            {
              "name": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29",
              "refsource": "MISC",
              "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-2cc5-23r7-vc4v",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29480",
    "datePublished": "2021-06-29T18:15:12",
    "dateReserved": "2021-03-30T00:00:00",
    "dateUpdated": "2024-08-03T22:11:05.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.9.0\", \"matchCriteriaId\": \"E972830A-9822-4DD9-BB64-9CC2B69018D5\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation.\"}, {\"lang\": \"es\", \"value\": \"Ratpack es un kit de herramientas para crear aplicaciones web. En las versiones anteriores a 1.9.0, el m\\u00f3dulo de sesi\\u00f3n del lado del cliente usa por defecto la hora de inicio de la aplicaci\\u00f3n como clave de firma. Esto significa que si un atacante puede determinar esta hora, y si no se usa tambi\\u00e9n el cifrado (que se recomienda, pero no est\\u00e1 activado por defecto), los datos de la sesi\\u00f3n podr\\u00edan ser manipulados por alguien con la capacidad de escribir cookies. La configuraci\\u00f3n por defecto es inapropiada para su uso en producci\\u00f3n, ya que un reinicio de la aplicaci\\u00f3n invalida todas las sesiones y no es compatible con varios hosts, pero no se impide activamente su uso. A partir de Ratpack versi\\u00f3n 1.9.0, el valor por defecto es un valor generado aleatoriamente de forma segura, generado en el momento de iniciar la aplicaci\\u00f3n. Como soluci\\u00f3n, proporcione una clave de firma alternativa, seg\\u00fan la recomendaci\\u00f3n de la documentaci\\u00f3n\"}]",
      "id": "CVE-2021-29480",
      "lastModified": "2024-11-21T06:01:13.587",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 4.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 3.1, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-06-29T19:15:09.340",
      "references": "[{\"url\": \"https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-340\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-330\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-29480\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-06-29T19:15:09.340\",\"lastModified\":\"2024-11-21T06:01:13.587\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation.\"},{\"lang\":\"es\",\"value\":\"Ratpack es un kit de herramientas para crear aplicaciones web. En las versiones anteriores a 1.9.0, el m\u00f3dulo de sesi\u00f3n del lado del cliente usa por defecto la hora de inicio de la aplicaci\u00f3n como clave de firma. Esto significa que si un atacante puede determinar esta hora, y si no se usa tambi\u00e9n el cifrado (que se recomienda, pero no est\u00e1 activado por defecto), los datos de la sesi\u00f3n podr\u00edan ser manipulados por alguien con la capacidad de escribir cookies. La configuraci\u00f3n por defecto es inapropiada para su uso en producci\u00f3n, ya que un reinicio de la aplicaci\u00f3n invalida todas las sesiones y no es compatible con varios hosts, pero no se impide activamente su uso. A partir de Ratpack versi\u00f3n 1.9.0, el valor por defecto es un valor generado aleatoriamente de forma segura, generado en el momento de iniciar la aplicaci\u00f3n. Como soluci\u00f3n, proporcione una clave de firma alternativa, seg\u00fan la recomendaci\u00f3n de la documentaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-340\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.0\",\"matchCriteriaId\":\"E972830A-9822-4DD9-BB64-9CC2B69018D5\"}]}]}],\"references\":[{\"url\":\"https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

GSD-2021-29480

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-29480

Aliases

CVE-2021-29480

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-29480",
    "description": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation.",
    "id": "GSD-2021-29480"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-29480"
      ],
      "details": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation.",
      "id": "GSD-2021-29480",
      "modified": "2023-12-13T01:23:36.260035Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-29480",
        "STATE": "PUBLIC",
        "TITLE": "Default client side session signing key is highly predictable"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ratpack",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.9.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ratpack"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-340: Generation of Predictable Numbers or Identifiers"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v",
            "refsource": "CONFIRM",
            "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
          },
          {
            "name": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29",
            "refsource": "MISC",
            "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2cc5-23r7-vc4v",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.9.0)",
          "affected_versions": "All versions before 1.9.0",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-330",
            "CWE-937"
          ],
          "date": "2022-08-02",
          "description": "Ratpack is a toolkit for creating web applications., the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation.",
          "fixed_versions": [
            "1.9.0"
          ],
          "identifier": "CVE-2021-29480",
          "identifiers": [
            "CVE-2021-29480",
            "GHSA-2cc5-23r7-vc4v"
          ],
          "not_impacted": "All versions starting from 1.9.0",
          "package_slug": "maven/io.ratpack/ratpack-core",
          "pubdate": "2021-06-29",
          "solution": "Upgrade to version 1.9.0 or above.",
          "title": "Use of Insufficiently Random Values",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29480"
          ],
          "uuid": "c2de20e1-9cc7-4dd0-8f94-fd370babd69d"
        },
        {
          "affected_range": "(,1.9.0)",
          "affected_versions": "All versions before 1.9.0",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-330",
            "CWE-937"
          ],
          "date": "2021-07-08",
          "description": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation.",
          "fixed_versions": [
            "1.9.0"
          ],
          "identifier": "CVE-2021-29480",
          "identifiers": [
            "GHSA-2cc5-23r7-vc4v",
            "CVE-2021-29480"
          ],
          "not_impacted": "All versions starting from 1.9.0",
          "package_slug": "maven/io.ratpack/ratpack-session",
          "pubdate": "2021-07-01",
          "solution": "Upgrade to version 1.9.0 or above.",
          "title": "Use of Insufficiently Random Values",
          "urls": [
            "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29480",
            "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29",
            "https://github.com/advisories/GHSA-2cc5-23r7-vc4v"
          ],
          "uuid": "f24b8cc8-98ff-4f3b-b270-9e5a63577940"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.9.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29480"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-330"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
            },
            {
              "name": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-08-02T16:00Z",
      "publishedDate": "2021-06-29T19:15Z"
    }
  }
}

FKIE_CVE-2021-29480

Vulnerability from fkie_nvd - Published: 2021-06-29 19:15 - Updated: 2024-11-21 06:01

Severity ?

4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29	Third Party Advisory
security-advisories@github.com	https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v	Third Party Advisory

Impacted products

	Vendor	Product	Version
	ratpack_project	ratpack	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E972830A-9822-4DD9-BB64-9CC2B69018D5",
              "versionEndExcluding": "1.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default value is a securely randomly generated value, generated at application startup time. As a workaround, supply an alternative signing key, as per the documentation\u0027s recommendation."
    },
    {
      "lang": "es",
      "value": "Ratpack es un kit de herramientas para crear aplicaciones web. En las versiones anteriores a 1.9.0, el m\u00f3dulo de sesi\u00f3n del lado del cliente usa por defecto la hora de inicio de la aplicaci\u00f3n como clave de firma. Esto significa que si un atacante puede determinar esta hora, y si no se usa tambi\u00e9n el cifrado (que se recomienda, pero no est\u00e1 activado por defecto), los datos de la sesi\u00f3n podr\u00edan ser manipulados por alguien con la capacidad de escribir cookies. La configuraci\u00f3n por defecto es inapropiada para su uso en producci\u00f3n, ya que un reinicio de la aplicaci\u00f3n invalida todas las sesiones y no es compatible con varios hosts, pero no se impide activamente su uso. A partir de Ratpack versi\u00f3n 1.9.0, el valor por defecto es un valor generado aleatoriamente de forma segura, generado en el momento de iniciar la aplicaci\u00f3n. Como soluci\u00f3n, proporcione una clave de firma alternativa, seg\u00fan la recomendaci\u00f3n de la documentaci\u00f3n"
    }
  ],
  "id": "CVE-2021-29480",
  "lastModified": "2024-11-21T06:01:13.587",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-06-29T19:15:09.340",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-340"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-330"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2021-52413

Vulnerability from cnvd - Published: 2021-07-20

Title

Ratpack存在未明漏洞（CNVD-2021-52413）

Description

Ratpack是一款用于构建可扩展HTTP应用程序的Java库。 Ratpack 1.9.0之前版本存在安全漏洞，该漏洞源于客户端会话模块默认使用应用程序启动时间作为签名密钥，攻击者可利用该漏洞篡改会话数据中的cookie。

Severity

低

Patch Name

Ratpack存在未明漏洞（CNVD-2021-52413）的补丁

Patch Description

Ratpack是一款用于构建可扩展HTTP应用程序的Java库。 Ratpack 1.9.0之前版本存在安全漏洞，该漏洞源于客户端会话模块默认使用应用程序启动时间作为签名密钥，攻击者可利用该漏洞篡改会话数据中的cookie。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-29480

Impacted products

Name
Ratpack Ratpack <1.9.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-29480"
    }
  },
  "description": "Ratpack\u662f\u4e00\u6b3e\u7528\u4e8e\u6784\u5efa\u53ef\u6269\u5c55HTTP\u5e94\u7528\u7a0b\u5e8f\u7684Java\u5e93\u3002\n\nRatpack 1.9.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5ba2\u6237\u7aef\u4f1a\u8bdd\u6a21\u5757\u9ed8\u8ba4\u4f7f\u7528\u5e94\u7528\u7a0b\u5e8f\u542f\u52a8\u65f6\u95f4\u4f5c\u4e3a\u7b7e\u540d\u5bc6\u94a5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7be1\u6539\u4f1a\u8bdd\u6570\u636e\u4e2d\u7684cookie\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-52413",
  "openTime": "2021-07-20",
  "patchDescription": "Ratpack\u662f\u4e00\u6b3e\u7528\u4e8e\u6784\u5efa\u53ef\u6269\u5c55HTTP\u5e94\u7528\u7a0b\u5e8f\u7684Java\u5e93\u3002\r\n\r\nRatpack 1.9.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5ba2\u6237\u7aef\u4f1a\u8bdd\u6a21\u5757\u9ed8\u8ba4\u4f7f\u7528\u5e94\u7528\u7a0b\u5e8f\u542f\u52a8\u65f6\u95f4\u4f5c\u4e3a\u7b7e\u540d\u5bc6\u94a5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7be1\u6539\u4f1a\u8bdd\u6570\u636e\u4e2d\u7684cookie\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ratpack\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-52413\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Ratpack Ratpack \u003c1.9.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-29480",
  "serverity": "\u4f4e",
  "submitTime": "2021-07-01",
  "title": "Ratpack\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-52413\uff09"
}

GHSA-2CC5-23R7-VC4V

Vulnerability from github – Published: 2021-07-01 17:02 – Updated: 2022-08-11 00:17

Summary

Ratpack's default client side session signing key is highly predictable

Details

Impact

The client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies.

The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented.

Vulnerability Location

https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29

Patches

As of Ratpack 1.9.0 the default value is a securely randomly generated value, generated at application startup time.

Workarounds

Supply an alternative signing key, as per the documentation's recommendation.

Severity ?

4.4 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.ratpack:ratpack-session"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-340"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-30T17:49:41Z",
    "nvd_published_at": "2021-06-29T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone with the ability to write cookies. \n\nThe default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible, but its use is not actively prevented.\n\n### Vulnerability Location\n\nhttps://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29\n\n### Patches\n\nAs of Ratpack 1.9.0 the default value is a securely randomly generated value, generated at application startup time. \n\n### Workarounds\n\nSupply an alternative signing key, as per the documentation\u0027s recommendation.\n",
  "id": "GHSA-2cc5-23r7-vc4v",
  "modified": "2022-08-11T00:17:56Z",
  "published": "2021-07-01T17:02:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-2cc5-23r7-vc4v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29480"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ratpack/ratpack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ratpack/ratpack/blob/29434f7ac6fd4b36a4495429b70f4c8163100332/ratpack-session/src/main/java/ratpack/session/clientside/ClientSideSessionConfig.java#L29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ratpack\u0027s default client side session signing key is highly predictable"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-29480 (GCVE-0-2021-29480)

GSD-2021-29480

FKIE_CVE-2021-29480

CNVD-2021-52413

GHSA-2CC5-23R7-VC4V

Impact

Vulnerability Location

Patches

Workarounds

Tags

Sightings

Nomenclature