SCA: security update for io.ratpack:ratpack-session (GHSA-phj8-4cq3-794g)

high Tenable Self-Hosted Container Security Plugin ID 417539

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the default configuration
of client side sessions results in unencrypted, but signed, data being set as cookie values. This means
that if something sensitive goes into the session, it could be read by something with access to the
cookies. For this to be a vulnerability, some kind of sensitive data would need to be stored in the
session and the session cookie would have to leak. For example, the cookies are not configured with
httpOnly and an adjacent XSS vulnerability within the site allowed capture of the cookies. As of version
1.9.0, a securely randomly generated signing key is used. As a workaround, one may supply an encryption
key, as per the documentation recommendation. (CVE-2021-29481)

See Also

https://github.com/advisories/GHSA-phj8-4cq3-794g

Plugin Details

Severity: High

ID: 417539

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-29481

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/1/2021

Vulnerability Publication Date: 6/29/2021

Reference Information

CVE: CVE-2021-29481

cwe: CWE-312