GHSA-7w4x-4h67-pgmv

Source

https://github.com/advisories/GHSA-7w4x-4h67-pgmv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-7w4x-4h67-pgmv/GHSA-7w4x-4h67-pgmv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7w4x-4h67-pgmv

Aliases

CVE-2022-31684

Published

2022-10-20T12:00:17Z

Modified

2023-11-08T04:09:32.521356Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens

Details

Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may request log headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.

Database specific

{
    "nvd_published_at": "2022-10-19T22:15:00Z",
    "github_reviewed_at": "2022-10-20T18:40:50Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Maven / io.projectreactor.netty:reactor-netty-http

Package

Name: io.projectreactor.netty:reactor-netty-http; View open source insights on deps.dev
Purl: pkg:maven/io.projectreactor.netty/reactor-netty-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.11

Fixed

1.0.24

Affected versions

1.*

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.0.23