CVE-2021-29480: 
Java vulnerability analysis and mitigation

CVE-2021-29480 affects Ratpack, a toolkit for creating web applications. The vulnerability was discovered in versions prior to 1.9.0, where the client side session module used the application startup time as the signing key by default. This security issue was disclosed on June 29, 2021 (GitHub Advisory).

The vulnerability exists in the ClientSideSessionConfig.java file where the default secretToken is set using System.currentTimeMillis() / 10000. This implementation makes the signing key predictable, especially if an attacker can determine the application's startup time. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 LOW (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) by NVD, while GitHub rates it as 4.4 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) (NVD).

If an attacker can determine the application startup time and encryption is not enabled (which is not on by default), they could potentially tamper with session data through cookie manipulation. Additionally, the default configuration makes the application unsuitable for production use as any application restart invalidates all sessions and lacks multi-host compatibility (GitHub Advisory).

The vulnerability has been patched in Ratpack version 1.9.0, where the default value is changed to a securely randomly generated value at application startup time. As a workaround for affected versions, users should supply an alternative signing key as per the documentation's recommendation (GitHub Advisory).