CVE-2022-31684
MEDIUMPivotal Reactor Netty < 1.0.23 - Log Information Exposure
Title source: ruleDescription
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
References (1)
Core 1
Core References
Vendor Advisory
https://tanzu.vmware.com/security/cve-2022-31684
Scores
CVSS v3
4.3
EPSS
0.0042
EPSS Percentile
61.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (2)
io.projectreactor.netty/reactor-netty-http
1.0.11 - 1.0.24Maven
pivotal/reactor_netty
1.0.11 - 1.0.23
Published
Oct 19, 2022
Tracked Since
Feb 18, 2026