Vulnerability Details : CVE-2021-29479
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. The vulnerability was patched in Ratpack 1.9.0. As a workaround, ensure that `ServerConfigBuilder::publicAddress` correctly configures the server in production.
Products affected by CVE-2021-29479
- cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-29479
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-29479
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:N |
4.9
|
4.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L |
2.2
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2021-29479
-
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2021-29479
-
https://portswigger.net/web-security/web-cache-poisoning
Web cache poisoning | Web Security AcademyExploit;Third Party Advisory
-
https://github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7q
Cached redirect poisoning via X-Forwarded-Host header · Advisory · ratpack/ratpack · GitHubThird Party Advisory
Jump to