CVE-2021-29479: 
Java vulnerability analysis and mitigation

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key. Users are only vulnerable if they do not configure a custom PublicAddress instance. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of PublicAddress which is vulnerable (GitHub Advisory).

The vulnerability stems from the default PublicAddress implementation that infers the address from the request context instead of using a configured bind host/port. When a user supplies an X-Forwarded-Host header, it can be used to manipulate the cached response if the cache implementation doesn't include this header in its cache key. The vulnerability has been assigned a CVSS v3.1 score of 7.0 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L (GitHub Advisory).

This vulnerability can be exploited to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location. This means that subsequent users accessing the cached content could be redirected to malicious sites (GitHub Advisory, PortSwigger).

For versions prior to 1.9.0, users should ensure that ServerConfigBuilder::publicAddress correctly configures the server in production. As of Ratpack 1.9.0, two changes have been made to mitigate this vulnerability: 1) The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port, and 2) Relative redirects issued by the application are no longer absolutized but are passed through as-is (GitHub Advisory).