CVE-2023-34054 – io.projectreactor.netty:reactor-netty-core

Package

Manager: maven
Name: io.projectreactor.netty:reactor-netty-core
Vulnerable Version: >=1.1.0 <1.1.13 || >=1.0.0 <1.0.39

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0017 pctl0.38625

Details

Reactor Netty HTTP Server denial of service vulnerability In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Metadata

Created: 2023-11-28T09:30:27Z
Modified: 2024-06-28T12:49:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-q24v-hpg3-v3jp/GHSA-q24v-hpg3-v3jp.json
CWE IDs: []
Alternative ID: GHSA-q24v-hpg3-v3jp
Finding: F002
Auto approve: 1