CVE-2019-11284: Insufficiently Protected Credentials in Pivotal Reactor Netty
8.6
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59464%
CWE
Published
10/23/2019
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.projectreactor.netty:reactor-netty | maven | < 0.8.11 | 0.8.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on improper header propagation during redirects. Analysis focuses on Reactor Netty's HTTP client redirect handling mechanism:
- HttpClientFinalizer.followRedirect is the primary redirect coordinator, making it the logical location for header management decisions
- RedirectClientHandler.send would execute the actual redirected request construction While exact patch details are unavailable, the vulnerability description explicitly identifies header propagation during redirects as the flaw. These functions represent the core redirect implementation where credential-containing headers would be inappropriately forwarded prior to the 0.8.11 fix that likely added host validation and header filtering.