Information Exposure Affecting io.projectreactor.netty:reactor-netty package, versions [0.9.0.RELEASE, 0.9.5.RELEASE) [0.8.0.RELEASE, 0.8.16.RELEASE)
Do your applications use this vulnerable package?
4 Mar 2020
3 Mar 2020
Ludwig Bedacht, Daniel Spruth from Volkswagen Group IT Services
How to fix?
io.projectreactor.netty:reactor-netty to version 0.9.5.RELEASE, 0.8.16.RELEASE or higher.
io.projectreactor.netty:reactor-netty is a TCP/HTTP/UDP client/server with Reactor over Netty.
Affected versions of this package are vulnerable to Information Exposure. It may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.