GHSA-W6RQ-6H34-VH7Q

Vulnerability from github – Published: 2021-07-01 17:02 – Updated: 2021-09-01 19:32
VLAI?
Summary
Cached redirect poisoning via X-Forwarded-Host header
Details

A user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key.

Users are only vulnerable if they do not configure a custom PublicAddress instance. A custom PublicAddress can be specified by using ServerConfigBuilder::publicAddress. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of PublicAddress which is vulnerable.

Impact

This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location.

Patches

As of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability:

  1. The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port
  2. Relative redirects issued by the application are no longer absolutized; they are passed through as-is

Workarounds

In production, ensure that ServerConfigBuilder::publicAddress correctly configures the server.

References

  • https://portswigger.net/web-security/web-cache-poisoning
Severity ?
7.0 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.ratpack:ratpack-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-30T17:50:31Z",
    "nvd_published_at": "2021-06-29T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key.\n\nUsers are only vulnerable if they do not configure a custom `PublicAddress` instance. A custom `PublicAddress` can be specified by using [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-). For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable.\n\n### Impact\n\nThis can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location.\n\n### Patches\n\nAs of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability:\n\n1. The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port\n2. Relative redirects issued by the application are no longer absolutized; they are passed through as-is\n\n### Workarounds\n\nIn production, ensure that [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-) correctly configures the server.\n\n### References\n - https://portswigger.net/web-security/web-cache-poisoning",
  "id": "GHSA-w6rq-6h34-vh7q",
  "modified": "2021-09-01T19:32:52Z",
  "published": "2021-07-01T17:02:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29479"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ratpack/ratpack"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/web-cache-poisoning"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cached redirect poisoning via X-Forwarded-Host header"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.