All Vulnerability Reports

CVE-2020-5404: Authentication Leak On Redirect With Reactor Netty HttpClient

Severity

Medium

Vendor

Pivotal

Description

Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

Older unsupported versions may be affected too.

• Reactor Netty
  • 0.9 to 0.9.4
  • 0.8 to 0.8.15

Mitigation

Users of affected versions should apply the following mitigation: 0.9.x users should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5), 0.8.x users should upgrade to 0.8.16 (reactor-bom Californium SR-16).  Note: Reactor Netty  0.9.5 and 0.8.16 depend on Netty 4.1.45+. Spring Boot applications should upgrade to 2.2.5 or 2.1.13 to use the above versions. No other steps are necessary. In some cases, after upgrading,  applications may experience authentication failures following a redirect to a different domain. If this happens applications may then need to explicitly configure the Reactor Netty HttpClient with a redirect request handler. Releases that have fixed this issue include:

• Reactor Netty
  • 0.8.16
  • 0.9.5

Credit

This issue was identified and responsibly reported by Ludwig Bedacht and Daniel Spruth from Volkswagen Group IT Services GmbH.

References

• https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

History

2020-02-27: Initial vulnerability report published.