CVE-2021-29481

Name of the Vulnerable Software and Affected Versions: Ratpack versions prior to 1.9.0

Description: The default configuration of client-side sessions in Ratpack results in unencrypted, but signed, data being set as cookie values. This could allow sensitive data to be read by something with access to the cookies, if sensitive data is stored in the session and the session cookie leaks. For example, this could happen if the cookies are not configured with httpOnly and an adjacent XSS vulnerability within the site allows capture of the cookies.

Recommendations: For versions prior to 1.9.0, supply an encryption key as per the documentation recommendation to mitigate the issue. As of version 1.9.0, a securely randomly generated signing key is used, which resolves the issue.