PT-2022-20889 · Unknown · Reactor Netty Http Server

Published

2022-10-19

Updated

2022-10-21

CVE-2022-31684

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Reactor Netty HTTP Server versions 1.0.11 through 1.0.23

Description The issue affects the logging of request headers in cases of invalid HTTP requests. When logging at WARN level is enabled, the logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests.

Recommendations For Reactor Netty HTTP Server versions 1.0.11 through 1.0.23, consider disabling the logging of request headers at WARN level for invalid HTTP requests until a patch is available. Restrict access to server logs to minimize the risk of exploitation.

Fix

Information Disclosure

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-532

Related Identifiers

CVE-2022-31684

GHSA-7W4X-4H67-PGMV

Affected Products

Reactor Netty Http Server

PT-2022-20889 · Unknown · Reactor Netty Http Server

CVE-2022-31684

Weakness Enumeration

Related Identifiers

Affected Products

References · 6