Miggo Logo

CVE-2019-11284: Insufficiently Protected Credentials in Pivotal Reactor Netty

8.6

CVSS Score
3.1

Basic Information

EPSS Score
0.59464%
Published
10/23/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.projectreactor.netty:reactor-nettymaven< 0.8.110.8.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper header propagation during redirects. Analysis focuses on Reactor Netty's HTTP client redirect handling mechanism:

  1. HttpClientFinalizer.followRedirect is the primary redirect coordinator, making it the logical location for header management decisions
  2. RedirectClientHandler.send would execute the actual redirected request construction While exact patch details are unavailable, the vulnerability description explicitly identifies header propagation during redirects as the flaw. These functions represent the core redirect implementation where credential-containing headers would be inappropriately forwarded prior to the 0.8.11 fix that likely added host validation and header filtering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pivot*l R***tor N*tty, v*rsions prior to *.*.**, p*ss*s *****rs t*rou** r**ir**ts, in*lu*in* *ut*oriz*tion on*s. * r*mot* un*ut**nti**t** m*li*ious us*r m*y **in ****ss to *r***nti*ls *or * *i***r*nt s*rv*r t**n t**y **v* ****ss to.

Reasoning

T** vuln*r**ility **nt*rs on improp*r *****r prop***tion *urin* r**ir**ts. *n*lysis *o*us*s on R***tor N*tty's *TTP *li*nt r**ir**t **n*lin* m****nism: *. *ttp*li*nt*in*liz*r.*ollowR**ir**t is t** prim*ry r**ir**t *oor*in*tor, m*kin* it t** lo*i**l l