CVE-2022-31684 – io.projectreactor.netty:reactor-netty-http

Package

Manager: maven
Name: io.projectreactor.netty:reactor-netty-http
Vulnerable Version: >=1.0.11 <1.0.24

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00241 pctl0.47301

Details

Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may request log headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.

Metadata

Created: 2022-10-20T12:00:17Z
Modified: 2025-05-09T16:32:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-7w4x-4h67-pgmv/GHSA-7w4x-4h67-pgmv.json
CWE IDs: ["CWE-200", "CWE-532"]
Alternative ID: GHSA-7w4x-4h67-pgmv
Finding: F308
Auto approve: 1