All Vulnerability Reports

CVE-2020-5403: DoS Via Malformed URL with Reactor Netty HTTP Server

Severity

Medium

Vendor

Pivotal

Description

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

• Reactor Netty
  • 0.9.3
  • 0.9.4

Mitigation

Users of affected versions should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5). No other steps are necessary.

• Reactor Netty
  • 0.9.5

Credit

This issue was identified and responsibly reported by Wojciech Kuranowski.

References

• https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

History

2020-02-27: Initial vulnerability report published.