Miggo Logo

CVE-2022-31684: Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.45394%
Published
10/20/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.projectreactor.netty:reactor-netty-httpmaven>= 1.0.11, < 1.0.241.0.24

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs when invalid HTTP requests trigger WARN-level logging that includes sensitive headers. The key modification in the patch adds log level checks before logging in AbstractHttpServerMetricsHandler.write(), which handles HTTP response writing. This was the primary location where metrics-related exceptions during request processing could leak headers to logs. Other modified files either: 1) Add safety checks for non-HTTP components (like connection pools), 2) Affect debug-level logging, or 3) Are unrelated to the HTTP header logging scenario described in the CVE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R***tor N*tty *TTP S*rv*r, in v*rsions *.*.** - *.*.**, m*y r*qu*st lo* *****rs in som* **s*s o* inv*li* *TTP r*qu*sts. T** lo**** *****rs m*y r*v**l v*li* ****ss tok*ns to t*os* wit* ****ss to s*rv*r lo*s. T*is m*y *****t only inv*li* *TTP r*qu*sts

Reasoning

T** vuln*r**ility o**urs w**n inv*li* *TTP r*qu*sts tri***r W*RN-l*v*l lo**in* t**t in*lu**s s*nsitiv* *****rs. T** k*y mo*i*i**tion in t** p*t** ***s lo* l*v*l ****ks ***or* lo**in* in **str**t*ttpS*rv*rM*tri*s**n*l*r.writ*(), w*i** **n*l*s *TTP r*s