Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Reactor Netty by Pivotal

    CVE-2020-5403 (GCVE-0-2020-5403)

    Vulnerability from nvd – Published: 2020-03-03 18:25 – Updated: 2024-09-17 00:00
    VLAI
    Title
    DoS Via Malformed URL with Reactor Netty HTTP Server
    Summary
    Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2020-5403 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Reactor Netty Affected: 0.9 v0.9.3.RELEASE
    Affected: 0.9 v0.9.4.RELEASE
    Create a notification for this product.
    Date Public
    2020-02-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:30:24.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2020-5403"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Reactor Netty",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.9 v0.9.3.RELEASE"
                },
                {
                  "status": "affected",
                  "version": "0.9 v0.9.4.RELEASE"
                }
              ]
            }
          ],
          "datePublic": "2020-02-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-03T18:25:14.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2020-5403"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "DoS Via Malformed URL with Reactor Netty HTTP Server",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-02-27T00:00:00.000Z",
              "ID": "CVE-2020-5403",
              "STATE": "PUBLIC",
              "TITLE": "DoS Via Malformed URL with Reactor Netty HTTP Server"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Reactor Netty",
                          "version": {
                            "version_data": [
                              {
                                "affected": "=",
                                "version_affected": "=",
                                "version_name": "0.9",
                                "version_value": "v0.9.3.RELEASE"
                              },
                              {
                                "affected": "=",
                                "version_affected": "=",
                                "version_name": "0.9",
                                "version_value": "v0.9.4.RELEASE"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20: Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2020-5403",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2020-5403"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2020-5403",
        "datePublished": "2020-03-03T18:25:14.205Z",
        "dateReserved": "2020-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:00:46.313Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-5404 (GCVE-0-2020-5404)

    Vulnerability from nvd – Published: 2020-03-03 17:55 – Updated: 2024-09-17 01:02
    VLAI
    Title
    Authentication Leak On Redirect With Reactor Netty HttpClient
    Summary
    The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2020-5404 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Reactor Netty Affected: 0.8 , < v0.8.16.RELEASE (custom)
    Affected: 0.9 , < v0.9.5.RELEASE (custom)
    Create a notification for this product.
    Date Public
    2020-02-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:30:23.970Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2020-5404"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Reactor Netty",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "v0.8.16.RELEASE",
                  "status": "affected",
                  "version": "0.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "v0.9.5.RELEASE",
                  "status": "affected",
                  "version": "0.9",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-02-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-03T17:55:13.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2020-5404"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authentication Leak On Redirect With Reactor Netty HttpClient",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-02-27T00:00:00.000Z",
              "ID": "CVE-2020-5404",
              "STATE": "PUBLIC",
              "TITLE": "Authentication Leak On Redirect With Reactor Netty HttpClient"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Reactor Netty",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "0.8",
                                "version_value": "v0.8.16.RELEASE"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "0.9",
                                "version_value": "v0.9.5.RELEASE"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-522: Insufficiently Protected Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2020-5404",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2020-5404"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2020-5404",
        "datePublished": "2020-03-03T17:55:13.953Z",
        "dateReserved": "2020-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:02:01.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11284 (GCVE-0-2019-11284)

    Vulnerability from nvd – Published: 2019-10-17 17:40 – Updated: 2024-09-16 23:36
    VLAI
    Title
    Reactor Netty authentication leak in redirects
    Summary
    Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11284 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Reactor Netty Affected: prior to v0.8.11.RELEASE
    Create a notification for this product.
    Date Public
    2019-10-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.143Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11284"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Reactor Netty",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to v0.8.11.RELEASE"
                }
              ]
            }
          ],
          "datePublic": "2019-10-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-10-17T17:40:12.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11284"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reactor Netty authentication leak in redirects",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-10-15T00:00:00.000Z",
              "ID": "CVE-2019-11284",
              "STATE": "PUBLIC",
              "TITLE": "Reactor Netty authentication leak in redirects"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Reactor Netty",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to v0.8.11.RELEASE"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-522: Insufficiently Protected Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11284",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11284"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11284",
        "datePublished": "2019-10-17T17:40:12.123Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:36:09.978Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-5403 (GCVE-0-2020-5403)

    Vulnerability from cvelistv5 – Published: 2020-03-03 18:25 – Updated: 2024-09-17 00:00
    VLAI
    Title
    DoS Via Malformed URL with Reactor Netty HTTP Server
    Summary
    Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2020-5403 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Reactor Netty Affected: 0.9 v0.9.3.RELEASE
    Affected: 0.9 v0.9.4.RELEASE
    Create a notification for this product.
    Date Public
    2020-02-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:30:24.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2020-5403"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Reactor Netty",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.9 v0.9.3.RELEASE"
                },
                {
                  "status": "affected",
                  "version": "0.9 v0.9.4.RELEASE"
                }
              ]
            }
          ],
          "datePublic": "2020-02-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-03T18:25:14.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2020-5403"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "DoS Via Malformed URL with Reactor Netty HTTP Server",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-02-27T00:00:00.000Z",
              "ID": "CVE-2020-5403",
              "STATE": "PUBLIC",
              "TITLE": "DoS Via Malformed URL with Reactor Netty HTTP Server"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Reactor Netty",
                          "version": {
                            "version_data": [
                              {
                                "affected": "=",
                                "version_affected": "=",
                                "version_name": "0.9",
                                "version_value": "v0.9.3.RELEASE"
                              },
                              {
                                "affected": "=",
                                "version_affected": "=",
                                "version_name": "0.9",
                                "version_value": "v0.9.4.RELEASE"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20: Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2020-5403",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2020-5403"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2020-5403",
        "datePublished": "2020-03-03T18:25:14.205Z",
        "dateReserved": "2020-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:00:46.313Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-5404 (GCVE-0-2020-5404)

    Vulnerability from cvelistv5 – Published: 2020-03-03 17:55 – Updated: 2024-09-17 01:02
    VLAI
    Title
    Authentication Leak On Redirect With Reactor Netty HttpClient
    Summary
    The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2020-5404 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Reactor Netty Affected: 0.8 , < v0.8.16.RELEASE (custom)
    Affected: 0.9 , < v0.9.5.RELEASE (custom)
    Create a notification for this product.
    Date Public
    2020-02-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:30:23.970Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2020-5404"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Reactor Netty",
              "vendor": "Pivotal",
              "versions": [
                {
                  "lessThan": "v0.8.16.RELEASE",
                  "status": "affected",
                  "version": "0.8",
                  "versionType": "custom"
                },
                {
                  "lessThan": "v0.9.5.RELEASE",
                  "status": "affected",
                  "version": "0.9",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-02-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-03T17:55:13.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2020-5404"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authentication Leak On Redirect With Reactor Netty HttpClient",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-02-27T00:00:00.000Z",
              "ID": "CVE-2020-5404",
              "STATE": "PUBLIC",
              "TITLE": "Authentication Leak On Redirect With Reactor Netty HttpClient"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Reactor Netty",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "0.8",
                                "version_value": "v0.8.16.RELEASE"
                              },
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "0.9",
                                "version_value": "v0.9.5.RELEASE"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-522: Insufficiently Protected Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2020-5404",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2020-5404"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2020-5404",
        "datePublished": "2020-03-03T17:55:13.953Z",
        "dateReserved": "2020-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:02:01.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11284 (GCVE-0-2019-11284)

    Vulnerability from cvelistv5 – Published: 2019-10-17 17:40 – Updated: 2024-09-16 23:36
    VLAI
    Title
    Reactor Netty authentication leak in redirects
    Summary
    Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    URL Tags
    https://pivotal.io/security/cve-2019-11284 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Pivotal Reactor Netty Affected: prior to v0.8.11.RELEASE
    Create a notification for this product.
    Date Public
    2019-10-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:48:09.143Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2019-11284"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Reactor Netty",
              "vendor": "Pivotal",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to v0.8.11.RELEASE"
                }
              ]
            }
          ],
          "datePublic": "2019-10-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-10-17T17:40:12.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2019-11284"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reactor Netty authentication leak in redirects",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2019-10-15T00:00:00.000Z",
              "ID": "CVE-2019-11284",
              "STATE": "PUBLIC",
              "TITLE": "Reactor Netty authentication leak in redirects"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Reactor Netty",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to v0.8.11.RELEASE"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Pivotal"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-522: Insufficiently Protected Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://pivotal.io/security/cve-2019-11284",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2019-11284"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2019-11284",
        "datePublished": "2019-10-17T17:40:12.123Z",
        "dateReserved": "2019-04-18T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:36:09.978Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }