CVE-2021-29479

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. The vulnerability was patched in Ratpack 1.9.0. As a workaround, ensure that `ServerConfigBuilder::publicAddress` correctly configures the server in production.

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. The vulnerability was patched in Ratpack 1.9.0. As a workaround, ensure that `ServerConfigBuilder::publicAddress` correctly configures the server in production.

A user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. A custom `PublicAddress` can be specified by using [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-). For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. ### Impact This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. ### Patches As of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability: 1. The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port 2. Relative redirects issued by the application are no longer absolutized; they are passed through as-is ### Workarounds In production, ensure that [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-) correctly configures the server. ### References - https://portswigger.net/web-security/web-cache-poisoning

A user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. A custom `PublicAddress` can be specified by using [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-). For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. ### Impact This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. ### Patches As of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability: 1. The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port 2. Relative redirects issued by the application are no longer absolutized; they are passed through as-is ### Workarounds In production, ensure that [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-) correctly configures the server. ### References - https://portswigger.net/web-security/web-cache-poisoning

Ratpack es un kit de herramientas para crear aplicaciones web. En versiones anteriores a 1.9.0, una cabecera "X-Forwarded-Host" suministrada por el usuario puede ser usada para llevar a cabo el envenenamiento de la caché de un servidor Ratpack si la clave de la caché no incluye la cabecera "X-Forwarded-Host" como clave de la caché. Unos usuarios sólo son vulnerables si no configuran una instancia personalizada de "PublicAddress". Para versiones anteriores a 1.9.0, por defecto, Ratpack usa una versión inferida de "PublicAddress" que es vulnerable. Esto puede ser usado para llevar a cabo el envenenamiento de la caché de redireccionamiento, donde un atacante puede forzar un redireccionamiento en caché para redirigir a su sitio en lugar de la ubicación de redireccionamiento prevista. La vulnerabilidad fue parcheada en Ratpack versión 1.9.0. Como solución, asegúrese de que "ServerConfigBuilder::publicAddress" configura correctamente el servidor en producción