Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-17513 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Ratpack Universal components / Libraries / Libraries used by multiple products |
Vendor | Ratpack |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU30722
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-17513
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
MitigationInstall update from vendor's website.
Vulnerable software versionsRatpack: 1.7.0 - 1.7.4
External linkshttp://github.com/ratpack/ratpack/commit/c560a8d10cb8bdd7a526c1ca2e67c8f224ca23ae
http://github.com/ratpack/ratpack/commit/efb910d38a96494256f36675ef0e5061097dd77d
http://github.com/ratpack/ratpack/releases/tag/v1.7.5
http://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j
http://ratpack.io/versions/1.7.5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.