8.6
CWE
522
Advisory Published
Updated

CVE-2019-11284: Reactor Netty authentication leak in redirects

First published: Thu Oct 17 2019(Updated: )

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

Credit: security@pivotal.io

Affected SoftwareAffected VersionHow to fix
Pivotal Reactor Netty>=0.8.0<0.8.11

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2019-11284?

    CVE-2019-11284 is a vulnerability in Pivotal Reactor Netty versions prior to 0.8.11 that allows a remote unauthenticated malicious user to gain access to credentials for a different server.

  • How does CVE-2019-11284 affect Pivotal Reactor Netty?

    CVE-2019-11284 affects Pivotal Reactor Netty versions prior to 0.8.11 by passing headers, including authorization ones, through redirects.

  • What is the severity of CVE-2019-11284?

    The severity of CVE-2019-11284 is high with a CVSS score of 8.6.

  • How can a remote malicious user exploit CVE-2019-11284?

    A remote unauthenticated malicious user can exploit CVE-2019-11284 by redirecting headers, including authorization ones, and gaining access to credentials for a different server.

  • What is the recommended solution to fix CVE-2019-11284?

    To fix CVE-2019-11284, it is recommended to upgrade Pivotal Reactor Netty to version 0.8.11 or later.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203