Information Disclosure in Reactor Netty HTTP Server by VMware
CVE-2022-31684

4.3MEDIUM

Key Information:

Vendor

Pivotal

Vendor
CVE Published:
19 October 2022

What is CVE-2022-31684?

The Reactor Netty HTTP Server from VMware has a vulnerability where it may log request headers during certain invalid HTTP request scenarios. When logging is set to WARN level, these logs could inadvertently expose valid access tokens to anyone who has access to the server logs. This situation poses a risk primarily in environments where improper HTTP requests occur, allowing unauthorized exposure of sensitive information.

Affected Version(s)

Reactor Netty Reactor Netty 1.0.11 to 1.0.23

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.