CVE-2021-29479
Cached redirect poisoning via X-Forwarded-Host header
Description
A user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key. Users are only vulnerable if they do not configure a custom `PublicAddress` instance. A custom `PublicAddress` can be specified by using [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-). For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable. ### Impact This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. ### Patches As of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability: 1. The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port 2. Relative redirects issued by the application are no longer absolutized; they are passed through as-is ### Workarounds In production, ensure that [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-) correctly configures the server. ### References - https://portswigger.net/web-security/web-cache-poisoning
How to fix CVE-2021-29479
To remediate CVE-2021-29479, upgrade the affected package to a fixed version below.
- —upgrade to 1.9.0 or later
Is CVE-2021-29479 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.9.0