reactor-netty is vulnerable to information disclosure. A remote attacker is able to request log headers in some cases of invalid HTTP requests which may reveal valid access tokens when WARN level is enabled, resulting in disclosure of sensitive information.
github.com/reactor/reactor-netty/commit/9662c6fb643180c1b4bd93e2d300c2d1928ffdf2
github.com/reactor/reactor-netty/pull/2528
github.com/reactor/reactor-netty/releases/tag/v1.0.24
spring.io/blog/2022/10/20/cve-2022-31684-reactor-netty-http-server-may-log-request-headers
tanzu.vmware.com/security/cve-2022-31684