Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Client side sessions should not allow unencrypted storage
Vulnerability Description
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. For this to be a vulnerability, some kind of sensitive data would need to be stored in the session and the session cookie would have to leak. For example, the cookies are not configured with httpOnly and an adjacent XSS vulnerability within the site allowed capture of the cookies. As of version 1.9.0, a securely randomly generated signing key is used. As a workaround, one may supply an encryption key, as per the documentation recommendation.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Vulnerability Type
敏感数据的明文存储
Vulnerability Title
Ratpack 安全漏洞
Vulnerability Description
Ratpack是一款用于构建可扩展HTTP应用程序的Java库。 Ratpack 1.9.0之前版本存在安全漏洞,该漏洞源于客户端会话的默认配置导致未加密但已签名的数据被设置为cookie值。攻击者可利用该漏洞窃取泄露的cookie。
CVSS Information
N/A
Vulnerability Type
N/A