CVE-2022-31684
MEDIUMReactor Netty HTTP Server 1.0.11-1.0.23 - Sensitive Information Exposure via Logged Request Headers
Title source: llmDescription
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
References (1)
Core 1
Core References
Vendor Advisory
https://tanzu.vmware.com/security/cve-2022-31684
Scores
CVSS v3
4.3
EPSS
0.0060
EPSS Percentile
44.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (2)
io.projectreactor.netty/reactor-netty-http
1.0.11 - 1.0.24Maven
pivotal/reactor_netty
1.0.11 - 1.0.23
Published
Oct 19, 2022
Tracked Since
Feb 18, 2026