CVE-2019-11284

HIGH

Pivotal Reactor Netty < 0.8.11 - Insufficiently Protected Credentials

Title source: rule

Description

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

References (1)

[Vendor Advisory] https://pivotal.io/security/cve-2019-11284

Scores

CVSS v3 8.6

EPSS 0.0039

EPSS Percentile 59.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (2)

pivotal/reactor_netty < 0.8.11

io.projectreactor.netty/reactor-netty < 0.8.11Maven

Timeline

Published Oct 17, 2019

Tracked Since Feb 18, 2026