SB2019101811 - Input validation error in Ratpack Ratpack
Published: October 18, 2019 Updated: July 17, 2020
Security Bulletin ID
SB2019101811
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2019-17513)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
Remediation
Install update from vendor's website.
References
- https://github.com/ratpack/ratpack/commit/c560a8d10cb8bdd7a526c1ca2e67c8f224ca23ae
- https://github.com/ratpack/ratpack/commit/efb910d38a96494256f36675ef0e5061097dd77d
- https://github.com/ratpack/ratpack/releases/tag/v1.7.5
- https://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j
- https://ratpack.io/versions/1.7.5