CVE-2020-5404: Authentication Leak On Redirect With Reactor Netty HttpClient
Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
Severity is medium unless otherwise noted.
Older unsupported versions may be affected too.
- 0.9 to 0.9.4
- 0.8 to 0.8.15
Users of affected versions should apply the following mitigation: 0.9.x users should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5), 0.8.x users should upgrade to 0.8.16 (reactor-bom Californium SR-16). Note: Reactor Netty 0.9.5 and 0.8.16 depend on Netty 4.1.45+. Spring Boot applications should upgrade to 2.2.5 or 2.1.13 to use the above versions. No other steps are necessary. In some cases, after upgrading, applications may experience authentication failures following a redirect to a different domain. If this happens applications may then need to explicitly configure the Reactor Netty HttpClient with a redirect request handler. Releases that have fixed this issue include:
This issue was identified and responsibly reported by Ludwig Bedacht and Daniel Spruth from Volkswagen Group IT Services GmbH.
2020-02-27: Initial vulnerability report published.