Spring Security Advisories

CVE-2020-5404: Authentication Leak On Redirect With Reactor Netty HttpClient

MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5404

Description

Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.

Affected Spring Products and Versions

  • Reactor Netty
    • 0.9 to 0.9.4
    • 0.8 to 0.8.15

Mitigation

Users of affected versions should apply the following mitigation: 0.9.x users should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5), 0.8.x users should upgrade to 0.8.16 (reactor-bom Californium SR-16).  Note: Reactor Netty  0.9.5 and 0.8.16 depend on Netty 4.1.45+. Spring Boot applications should upgrade to 2.2.5 or 2.1.13 to use the above versions. No other steps are necessary. In some cases, after upgrading,  applications may experience authentication failures following a redirect to a different domain. If this happens applications may then need to explicitly configure the Reactor Netty HttpClient with a redirect request handler. Releases that have fixed this issue include:

  • Reactor Netty
    • 0.8.16
    • 0.9.5

Credit

This issue was identified and responsibly reported by Ludwig Bedacht and Daniel Spruth from Volkswagen Group IT Services GmbH.

History

  • 2020-02-27: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all