Vulnerability Details : CVE-2019-17513
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
Products affected by CVE-2019-17513
- cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-17513
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17513
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-17513
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-17513
-
https://ratpack.io/versions/1.7.5
Ratpack: Lean & powerful HTTP apps for the JVMVendor Advisory
-
https://github.com/ratpack/ratpack/releases/tag/v1.7.5
Release v1.7.5 · ratpack/ratpack · GitHubRelease Notes;Third Party Advisory
-
https://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') · Advisory · ratpack/ratpack · GitHubThird Party Advisory
-
https://github.com/ratpack/ratpack/commit/efb910d38a96494256f36675ef0e5061097dd77d
Enable HTTP header validation · ratpack/ratpack@efb910d · GitHubPatch
-
https://github.com/ratpack/ratpack/commit/c560a8d10cb8bdd7a526c1ca2e67c8f224ca23ae
Add test for response header validation · ratpack/ratpack@c560a8d · GitHubPatch
Jump to