All Vulnerability Reports

CVE-2020-5403: DoS Via Malformed URL with Reactor Netty HTTP Server


Severity

Medium

Vendor

Pivotal

Description

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Reactor Netty
    • 0.9.3
    • 0.9.4
Mitigation

Users of affected versions should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5). No other steps are necessary.

  • Reactor Netty
    • 0.9.5
Credit

This issue was identified and responsibly reported by Wojciech Kuranowski.

References
History

2020-02-27: Initial vulnerability report published.