PT-2023-8190 · Unknown · Reactor Netty Http Server

Dr. Michael Ummels

Published

2023-11-15

Updated

2026-04-27

CVE-2023-34062

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Reactor Netty HTTP Server versions 1.0.x prior to 1.0.39 Reactor Netty HTTP Server versions 1.1.x prior to 1.1.13

Description The issue is related to incorrect restriction of directory path names, which can lead to a directory traversal attack. This can allow a remote attacker to disclose protected information. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

Recommendations For Reactor Netty HTTP Server versions 1.0.x prior to 1.0.39, update to version 1.0.39 or later. For Reactor Netty HTTP Server versions 1.1.x prior to 1.1.13, update to version 1.1.13 or later. As a temporary workaround, consider disabling the serving of static resources until a patch is available.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2024-00179

CVE-2023-34062

GHSA-XJHV-P3FV-X24R

Affected Products

Reactor Netty Http Server

PT-2023-8190 · Unknown · Reactor Netty Http Server

CVE-2023-34062

Weakness Enumeration

Related Identifiers

Affected Products

References · 9