Versions of Ratpack from 0.9.10 through 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS) in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.
As a simplistic example:
RatpackServer startedServer = RatpackServer.start(server -> {
server.handlers(chain -> chain.all(ctx -> {
// User supplied query parameter
String message = ctx.getRequest().getQueryParams().get("message");
// User supplied data appended to the message in an exception
throw new RuntimeException("An error occurred: " + message);
}));
});Impact
Patches
This vulnerability has been patched in Ratpack version 1.7.6.
Workarounds
If you are unable to update your version of Ratpack, we recommend the following workarounds and mitigations.
- Ensure that development mode is disabled in production.
- Don't use real customer data (ie. untrusted user input) in development.
References
For more information
If you have any questions or comments about this advisory:
JLLeitschuh Analyst
Versions of Ratpack from 0.9.10 through 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS) in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.
As a simplistic example:
Impact
Patches
This vulnerability has been patched in Ratpack version 1.7.6.
Workarounds
If you are unable to update your version of Ratpack, we recommend the following workarounds and mitigations.
References
For more information
If you have any questions or comments about this advisory: