Lucene search
Veracode Vulnerability DatabaseVERACODE:37637HistoryOct 21, 2022 - 8:04 a.m.
Information Disclosure
2022-10-2108:04:34
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
12
vulnerable software
information disclosure
remote attacker
http requests
access tokens
sensitive information
0.001 Low
EPSS
Percentile
30.4%
reactor-netty is vulnerable to information disclosure. A remote attacker is able to request log headers in some cases of invalid HTTP requests which may reveal valid access tokens when WARN level is enabled, resulting in disclosure of sensitive information.
References
github.com/reactor/reactor-netty/commit/9662c6fb643180c1b4bd93e2d300c2d1928ffdf2
github.com/reactor/reactor-netty/pull/2528
github.com/reactor/reactor-netty/releases/tag/v1.0.24
spring.io/blog/2022/10/20/cve-2022-31684-reactor-netty-http-server-may-log-request-headers
tanzu.vmware.com/security/cve-2022-31684
Related
osv
osv
Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens
2022-10-20 12:00:17
CVE-2022-31684
2022-10-19 22:15:10
redhatcve
redhatcve
CVE-2022-31684
2022-11-09 14:56:28
prion
prion
Cross site request forgery (csrf)
2022-10-19 22:15:00
github
github
Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens
2022-10-20 12:00:17
spring
spring
CVE-2022-31684: Reactor Netty HTTP Server may log request headers
2022-10-20 12:45:00
This Week in Spring - October 25th, 2022
2022-10-24 07:00:00
nvd
nvd
CVE-2022-31684
2022-10-19 22:15:10
cve
cve
CVE-2022-31684
2022-10-19 22:15:10
cvelist
cvelist
CVE-2022-31684
2022-10-19 00:00:00
ibm
ibm
redhat
redhat