PT-2020-18460 · Project Reactor · Reactor Netty Httpclient

Daniel Spruth

Published

2020-03-03

Updated

2022-02-10

CVE-2020-5404

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Reactor Netty HttpClient versions 0.9.x prior to 0.9.5 Reactor Netty HttpClient versions 0.8.x prior to 0.8.16

Description The issue may lead to a credentials leak during a redirect to a different domain if the HttpClient is explicitly configured to follow redirects.

Recommendations For Reactor Netty HttpClient versions 0.9.x prior to 0.9.5, update to version 0.9.5 or later to resolve the issue. For Reactor Netty HttpClient versions 0.8.x prior to 0.8.16, update to version 0.8.16 or later to resolve the issue. As a temporary workaround, consider disabling the redirect follow configuration in the HttpClient until a patch is available.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2020-5404

GHSA-GPCH-H32J-GX6X

Affected Products

Reactor Netty Httpclient

PT-2020-18460 · Project Reactor · Reactor Netty Httpclient

CVE-2020-5404

Weakness Enumeration

Related Identifiers

Affected Products

References · 4