Expected behavior
No CVEs findings by vulnerability scanners like Sonatype NexusIQ.
Actual behavior
When running Sonatype NexusIQ against the 3.4.2 release the following CVEs are reported:
because the version of Netty Reactor is still 1.0.21.
Solution
Upgrade to 1.0.24 (reactor-bom 2020.0.24). No other steps are necessary. Release that have fixed this issue include:
Reactor Netty
1.0.24
Reference
Description from CVE
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
Explanation
The reactor-netty-core and reactor-netty-http packages are vulnerable to Information Exposure. The methods in the files listed below include sensitive information, such as request headers, in statements logged in DEBUG and WARN modes. A remote attacker with access to Netty's logs can exploit this vulnerability to obtain information that may be used to perform further attacks against an affected application.
Expected behavior
No CVEs findings by vulnerability scanners like Sonatype NexusIQ.
Actual behavior
When running Sonatype NexusIQ against the 3.4.2 release the following CVEs are reported:
because the version of Netty Reactor is still 1.0.21.
Solution
Upgrade to 1.0.24 (reactor-bom 2020.0.24). No other steps are necessary. Release that have fixed this issue include:
Reactor Netty
1.0.24
Reference
Description from CVE
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
Explanation
The reactor-netty-core and reactor-netty-http packages are vulnerable to Information Exposure. The methods in the files listed below include sensitive information, such as request headers, in statements logged in DEBUG and WARN modes. A remote attacker with access to Netty's logs can exploit this vulnerability to obtain information that may be used to perform further attacks against an affected application.