SCA: security update for io.ratpack:ratpack-session (GHSA-2cc5-23r7-vc4v)

low Tenable Self-Hosted Container Security Plugin ID 408853

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session
module uses the application startup time as the signing key by default. This means that if an attacker can
determine this time, and if encryption is not also used (which is recommended, but is not on by default),
the session data could be tampered with by someone with the ability to write cookies. The default
configuration is unsuitable for production use as an application restart renders all sessions invalid and
is not multi-host compatible, but its use is not actively prevented. As of Ratpack 1.9.0, the default
value is a securely randomly generated value, generated at application startup time. As a workaround,
supply an alternative signing key, as per the documentation's recommendation. (CVE-2021-29480)

See Also

https://github.com/advisories/GHSA-2cc5-23r7-vc4v

Plugin Details

Severity: Low

ID: 408853

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2021-29480

CVSS v3

Risk Factor: Low

Base Score: 3.1

Temporal Score: 2.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/1/2021

Vulnerability Publication Date: 6/29/2021

Reference Information

CVE: CVE-2021-29480