CVE-2021-29480

Name of the Vulnerable Software and Affected Versions: Ratpack versions prior to 1.9.0

Description: The client side session module in Ratpack uses the application startup time as the signing key by default. If an attacker can determine this time and encryption is not used, the session data could be tampered with by someone with the ability to write cookies. The default configuration is unsuitable for production use as an application restart renders all sessions invalid and is not multi-host compatible.

Recommendations: For versions prior to 1.9.0, supply an alternative signing key, as per the documentation's recommendation. For versions prior to 1.9.0, consider updating to Ratpack 1.9.0 or later, which uses a securely randomly generated value as the default signing key.