Ldaley

Name of the Vulnerable Software and Affected Versions: Ratpack versions prior to 1.9.0 Description: The client side session module in Ratpack uses the application startup time as the signing key by default. If an attacker can determine this time and encryption is not used, the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible. Recommendations: For versions prior to 1.9.0, supply an alternative signing key, as per the documentation's recommendation. For versions prior to 1.9.0, consider updating to Ratpack 1.9.0 or later, which uses a securely randomly generated value as the default signing key.

Name of the Vulnerable Software and Affected Versions: Ratpack versions prior to 1.9.0 Description: The default configuration of client-side sessions in Ratpack results in unencrypted, but signed, data being set as cookie values. This could allow sensitive data to be read by something with access to the cookies, if sensitive data is stored in the session and the session cookie leaks. For example, this could happen if the cookies are not configured with httpOnly and an adjacent XSS vulnerability within the site allows capture of the cookies. Recommendations: For versions prior to 1.9.0, supply an encryption key as per the documentation recommendation to mitigate the issue. As of version 1.9.0, a securely randomly generated signing key is used, which resolves the issue.