CVE-2019-17513

Name of the Vulnerable Software and Affected Versions Ratpack versions 0.9.1 through 1.7.4

Description An issue in Ratpack allows HTTP Response Splitting to occur due to a misuse of the Netty library class DefaultHttpHeaders, where there is no validation that headers lack HTTP control characters. If untrusted data is used to construct HTTP headers with Ratpack, this can happen. An attacker can utilize this vulnerability to have the server issue any HTTP response they specify. The issue affects applications that use arbitrary user input as the value of a response header.

Recommendations For versions 0.9.1 through 1.7.4, update to version 1.7.5 to resolve the issue. As a temporary workaround, consider validating and sanitizing any user-supplied values being used as response headers to prevent HTTP Response Splitting. Avoid using arbitrary user input as response header values until the issue is resolved.