8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11284

GHSA ID

GHSA-j52r-xc68-q8f4

EPSS Score

0.59464%

CWE

CWE-522

Published

10/23/2019

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-11284

CVE-2019-11284: Insufficiently Protected Credentials in Pivotal Reactor Netty

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-11284

GHSA ID

GHSA-j52r-xc68-q8f4

EPSS Score

0.59464%

CWE

CWE-522

Published

10/23/2019

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.projectreactor.netty:reactor-netty	maven	< 0.8.11	0.8.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on improper header propagation during redirects. Analysis focuses on Reactor Netty's HTTP client redirect handling mechanism:

HttpClientFinalizer.followRedirect is the primary redirect coordinator, making it the logical location for header management decisions
RedirectClientHandler.send would execute the actual redirected request construction While exact patch details are unavailable, the vulnerability description explicitly identifies header propagation during redirects as the flaw. These functions represent the core redirect implementation where credential-containing headers would be inappropriately forwarded prior to the 0.8.11 fix that likely added host validation and header filtering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pivot*l R***tor N*tty, v*rsions prior to *.*.**, p*ss*s *****rs t*rou** r**ir**ts, in*lu*in* *ut*oriz*tion on*s. * r*mot* un*ut**nti**t** m*li*ious us*r m*y **in ****ss to *r***nti*ls *or * *i***r*nt s*rv*r t**n t**y **v* ****ss to.

Reasoning

T** vuln*r**ility **nt*rs on improp*r *****r prop***tion *urin* r**ir**ts. *n*lysis *o*us*s on R***tor N*tty's *TTP *li*nt r**ir**t **n*lin* m****nism: *. *ttp*li*nt*in*liz*r.*ollowR**ir**t is t** prim*ry r**ir**t *oor*in*tor, m*kin* it t** lo*i**l l

8.6

Basic Information

Concerned about an active attack path?

CVE-2019-11284: Insufficiently Protected Credentials in Pivotal Reactor Netty

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI