Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc2cnEtNmgzNC12aDdx
Cached redirect poisoning via X-Forwarded-Host header
A user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key.
Users are only vulnerable if they do not configure a custom PublicAddress instance. A custom PublicAddress can be specified by using ServerConfigBuilder::publicAddress. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of PublicAddress which is vulnerable.
Impact
This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location.
Patches
As of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability:
- The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port
- Relative redirects issued by the application are no longer absolutized; they are passed through as-is
Workarounds
In production, ensure that ServerConfigBuilder::publicAddress correctly configures the server.
References
Permalink: https://github.com/advisories/GHSA-w6rq-6h34-vh7qJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc2cnEtNmgzNC12aDdx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 7.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Identifiers: GHSA-w6rq-6h34-vh7q, CVE-2021-29479
References:
- https://github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7q
- https://nvd.nist.gov/vuln/detail/CVE-2021-29479
- https://portswigger.net/web-security/web-cache-poisoning
- https://github.com/advisories/GHSA-w6rq-6h34-vh7q
Blast Radius: 16.5
Affected Packages
maven:io.ratpack:ratpack-core
Dependent packages: 29Dependent repositories: 224
Downloads:
Affected Version Ranges: < 1.9.0
Fixed in: 1.9.0
All affected versions: 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8.0, 1.8.1, 1.8.2
All unaffected versions: 1.9.0