Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIyd2YtcTN4NC1ocnY5
Default development error handler in Ratpack is vulnerable to HTML content injection (XSS)
Versions of Ratpack from 0.9.10 through 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS) in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.
As a simplistic example:
RatpackServer startedServer = RatpackServer.start(server -> {
server.handlers(chain -> chain.all(ctx -> {
// User supplied query parameter
String message = ctx.getRequest().getQueryParams().get("message");
// User supplied data appended to the message in an exception
throw new RuntimeException("An error occurred: " + message);
}));
});
Impact
- Cross-Site Scripting
Patches
This vulnerability has been patched in Ratpack version 1.7.6.
Workarounds
If you are unable to update your version of Ratpack, we recommend the following workarounds and mitigations.
- Ensure that development mode is disabled in production.
- Don't use real customer data (ie. untrusted user input) in development.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in ratpack/ratpack
- Ask in our Slack channel
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXIyd2YtcTN4NC1ocnY5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: 8 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-r2wf-q3x4-hrv9, CVE-2019-10770
References:
- https://github.com/ratpack/ratpack/security/advisories/GHSA-r2wf-q3x4-hrv9
- https://github.com/ratpack/ratpack/commit/a3cbb13be1527874528c3b99fc33517c0297b6d3
- https://nvd.nist.gov/vuln/detail/CVE-2019-10770
- https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882
- https://github.com/advisories/GHSA-r2wf-q3x4-hrv9
Blast Radius: 14.3
Affected Packages
maven:io.ratpack:ratpack-core
Dependent packages: 29Dependent repositories: 224
Downloads:
Affected Version Ranges: < 1.7.6
Fixed in: 1.7.6
All affected versions: 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5
All unaffected versions: 1.7.6, 1.8.0, 1.8.1, 1.8.2, 1.9.0