CVE-2019-11284

HIGH

Reactor Netty < 0.8.11 - Unauthenticated Credential Exposure via Redirect Header Handling

Title source: llm
STIX 2.1

Description

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2019-11284

Scores

CVSS v3 8.6
EPSS 0.0089
EPSS Percentile 54.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-522
Status published
Products (2)
io.projectreactor.netty/reactor-netty 0 - 0.8.11Maven
pivotal/reactor_netty 0.8.0 - 0.8.11
Published Oct 17, 2019
Tracked Since Feb 18, 2026