This security advisory describes one medium risk vulnerability.
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C] [PCI]
Exploit availability: NoDescription
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.Mitigation
Install update from vendor's website.Vulnerable software versions
Ratpack: 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4CPE
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.