CVE-2023-34054 – Reactor Netty HTTP Server Metrics DoS Vulnerability
https://notcve.org/view.php?id=CVE-2023-34054
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled. En Reactor Netty HTTP Server, versiones 1.1.x anteriores a 1.1.13 y versiones 1.0.x anteriores a 1.0.39, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden causar una condición de denegación de servicio (DoS). Específicamente, una aplicación es vulnerable si la integración integrada del servidor HTTP Reactor Netty con Micrometer está habilitada. • https://spring.io/security/cve-2023-34054 •
CVE-2020-5403 – DoS Via Malformed URL with Reactor Netty HTTP Server
https://notcve.org/view.php?id=CVE-2020-5403
Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response. Reactor Netty HttpServer, versiones 0.9.3 y 0.9.4, está expuesto a una URISyntaxException que causa que la conexión sea cerrada prematuramente en lugar de producir una respuesta 400. • https://pivotal.io/security/cve-2020-5403 • CWE-20: Improper Input Validation CWE-755: Improper Handling of Exceptional Conditions •
CVE-2020-5404 – Authentication Leak On Redirect With Reactor Netty HttpClient
https://notcve.org/view.php?id=CVE-2020-5404
The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects. El HttpClient del Reactor Netty, versiones 0.9.x anteriores a 0.9.5, y versiones 0.8.x anteriores a 0.8.16, puede ser usado incorrectamente, conllevando a un filtrado de credenciales durante un redireccionamiento hacia un dominio diferente. A fin de que esto ocurra, el HttpClient debe haber sido configurado explícitamente para seguir los redireccionamientos. • https://pivotal.io/security/cve-2020-5404 https://access.redhat.com/security/cve/CVE-2020-5404 https://bugzilla.redhat.com/show_bug.cgi?id=1975160 • CWE-522: Insufficiently Protected Credentials •