CVE-2020-5404 – io.projectreactor.netty:reactor-netty-http

Package

Manager: maven
Name: io.projectreactor.netty:reactor-netty-http
Vulnerable Version: >=0.9.0 <0.9.5 || >=0.8.0 <0.8.16

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00509 pctl0.65348

Details

Insufficiently Protected Credentials in Reactor Netty The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.

Metadata

Created: 2022-02-10T20:24:17Z
Modified: 2021-07-08T14:31:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-gpch-h32j-gx6x/GHSA-gpch-h32j-gx6x.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-gpch-h32j-gx6x
Finding: F035
Auto approve: 1