Information Exposure Affecting io.projectreactor.netty:reactor-netty-http package, versions [1.0.11,1.0.24)
Snyk CVSS
Attack Complexity
High
Threat Intelligence
EPSS
0.07% (30th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-IOPROJECTREACTORNETTY-3057195
- published 20 Oct 2022
- disclosed 20 Oct 2022
- credit Unknown
Introduced: 20 Oct 2022
CVE-2022-31684 Open this link in a new tabHow to fix?
Upgrade io.projectreactor.netty:reactor-netty-http
to version 1.0.24 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure due to logging request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs.
Note:
This vulnerability affects only invalid HTTP requests where logging at WARN
level is enabled.