CVE Vulnerability

CVE-2019-17513

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/ratpack/ratpack/commit/c560a8d10cb8bdd7a526c1ca2e67c8f224ca23ae Patch
https://github.com/ratpack/ratpack/releases/tag/v1.7.5 Release Notes Third Party Advisory
https://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j Third Party Advisory
https://ratpack.io/versions/1.7.5 Vendor Advisory
https://github.com/ratpack/ratpack/commit/efb910d38a96494256f36675ef0e5061097dd77d Patch
Configurations

Configuration 1

cpe:2.3:a:ratpack_project:ratpack:*:*:*:*:*:*:*:*
Information

Published : 2019-10-18 03:15

Updated : 2020-08-24 05:37

NVD link : CVE-2019-17513

Mitre link : CVE-2019-17513

Products Affected
No products.
CWE
CWE-74