CVE-2019-10770 (GCVE-0-2019-10770)

Vulnerability from cvelistv5 – Published: 2020-01-28 00:21 – Updated: 2024-08-04 22:32
VLAI?
Summary
All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.
Severity ?
No CVSS data available.
CWE
  • Cross-site Scripting (XSS)
Assigner
References
Impacted products
Vendor Product Version
n/a io.ratpack:ratpack-core Affected: all versions from 0.9.10 inclusive and before 1.7.6
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:32:01.587Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "io.ratpack:ratpack-core",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "all versions from 0.9.10 inclusive and before 1.7.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-28T00:21:46",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2019-10770",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "io.ratpack:ratpack-core",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions from 0.9.10 inclusive and before 1.7.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882",
              "refsource": "CONFIRM",
              "url": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2019-10770",
    "datePublished": "2020-01-28T00:21:46",
    "dateReserved": "2019-04-03T00:00:00",
    "dateUpdated": "2024-08-04T22:32:01.587Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ratpack:ratpack:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.9.10\", \"versionEndExcluding\": \"1.7.6\", \"matchCriteriaId\": \"0B658FD6-8CEB-4DD6-A610-22B67F2399BF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.\"}, {\"lang\": \"es\", \"value\": \"Todas las versiones de io.ratpack:ratpack-core desde 0.9.10 inclusive y anteriores a 1.7.6, son vulnerables a un ataque de tipo Cross-site Scripting (XSS). Esto afecta al manejador de errores del modo de desarrollo cuando un mensaje de excepci\\u00f3n contiene datos no confiables. Tome en cuenta que el manejador de errores del modo de producci\\u00f3n no es vulnerable, para que este sea utilizado en producci\\u00f3n requerir\\u00eda que los usuarios no deshabiliten el modo de desarrollo.\"}]",
      "id": "CVE-2019-10770",
      "lastModified": "2024-11-21T04:19:53.293",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-01-28T01:15:10.753",
      "references": "[{\"url\": \"https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "report@snyk.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-10770\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2020-01-28T01:15:10.753\",\"lastModified\":\"2024-11-21T04:19:53.293\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.\"},{\"lang\":\"es\",\"value\":\"Todas las versiones de io.ratpack:ratpack-core desde 0.9.10 inclusive y anteriores a 1.7.6, son vulnerables a un ataque de tipo Cross-site Scripting (XSS). Esto afecta al manejador de errores del modo de desarrollo cuando un mensaje de excepci\u00f3n contiene datos no confiables. Tome en cuenta que el manejador de errores del modo de producci\u00f3n no es vulnerable, para que este sea utilizado en producci\u00f3n requerir\u00eda que los usuarios no deshabiliten el modo de desarrollo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ratpack:ratpack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.9.10\",\"versionEndExcluding\":\"1.7.6\",\"matchCriteriaId\":\"0B658FD6-8CEB-4DD6-A610-22B67F2399BF\"}]}]}],\"references\":[{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.