CVE-2019-10770 - OpenCVE

All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ratpack	Ratpack

Configuration 1 [-]

cpe:2.3:a:ratpack:ratpack:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-01-28T00:21:46

Updated: 2024-08-04T22:32:01.587Z

Reserved: 2019-04-03T00:00:00

Link: CVE-2019-10770

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-28T01:15:10.753

Modified: 2020-01-29T14:23:32.927

Link: CVE-2019-10770

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "io.ratpack:ratpack-core", "vendor": "n/a", "versions": [{"status": "affected", "version": "all versions from 0.9.10 inclusive and before 1.7.6"}]}], "descriptions": [{"lang": "en", "value": "All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode."}], "problemTypes": [{"descriptions": [{"description": "Cross-site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-28T00:21:46", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2019-10770", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "io.ratpack:ratpack-core", "version": {"version_data": [{"version_value": "all versions from 0.9.10 inclusive and before 1.7.6"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882", "refsource": "CONFIRM", "url": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:01.587Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2019-10770", "datePublished": "2020-01-28T00:21:46", "dateReserved": "2019-04-03T00:00:00", "dateUpdated": "2024-08-04T22:32:01.587Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ratpack:ratpack:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B658FD6-8CEB-4DD6-A610-22B67F2399BF", "versionEndExcluding": "1.7.6", "versionStartIncluding": "0.9.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode."}, {"lang": "es", "value": "Todas las versiones de io.ratpack:ratpack-core desde 0.9.10 inclusive y anteriores a 1.7.6, son vulnerables a un ataque de tipo Cross-site Scripting (XSS). Esto afecta al manejador de errores del modo de desarrollo cuando un mensaje de excepci\u00f3n contiene datos no confiables. Tome en cuenta que el manejador de errores del modo de producci\u00f3n no es vulnerable, para que este sea utilizado en producci\u00f3n requerir\u00eda que los usuarios no deshabiliten el modo de desarrollo."}], "id": "CVE-2019-10770", "lastModified": "2020-01-29T14:23:32.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-28T01:15:10.753", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-IORATPACK-534882"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}