<p>Upgrade <code>io.projectreactor.netty:reactor-netty</code> to version 0.8.11.RELEASE or higher.</p>

Information Exposure Affecting io.projectreactor.netty:reactor-netty package, versions [0.8.0,0.8.11.RELEASE)

Snyk CVSS

Attack Complexity Low

User Interaction Required

Confidentiality High

Threat Intelligence

EPSS 0.22% (60^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-IOPROJECTREACTORNETTY-473845
published 18 Oct 2019
disclosed 17 Oct 2019
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 17 Oct 2019

CVE-2019-11284 Open this link in a new tab CWE-200 Open this link in a new tab

How to fix?

Upgrade io.projectreactor.netty:reactor-netty to version 0.8.11.RELEASE or higher.

Overview

io.projectreactor.netty:reactor-netty is a TCP/HTTP/UDP client/server with Reactor over Netty.

Affected versions of this package are vulnerable to Information Exposure. Headers are passed through redirects, including authorization headers. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.