CVE-2022-31684

MEDIUM4.3EPSS 0.42%

Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens

發布日:2022/10/20修改日:2025/5/9

描述

Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may request log headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.

受影響套件(1)

Maven/io.projectreactor.netty:reactor-netty-http>= 1.0.11, < 1.0.24

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-31684
PATCHhttps://search.maven.org/artifact/io.projectreactor.netty/reactor-netty-http
WEBhttps://tanzu.vmware.com/security/cve-2022-31684