PivotalCVELIST:CVE-2020-5404CVE-2020-5404 Authentication Leak On Redirect With Reactor Netty HttpClient
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
5.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.5%
The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
CNA Affected
[
{
"product": "Reactor Netty",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "v0.8.16.RELEASE",
"status": "affected",
"version": "0.8",
"versionType": "custom"
},
{
"lessThan": "v0.9.5.RELEASE",
"status": "affected",
"version": "0.9",
"versionType": "custom"
}
]
}
]References
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
5.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.5%