#VU68520 Information disclosure in Reactor Netty - CVE-2022-31684

Cybersecurity Help s.r.o.

Published: 2022-10-20

Vulnerability identifier: #VU68520

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-31684

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Reactor Netty
Universal components / Libraries / Libraries used by multiple products

Vendor: Pivotal

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to tge affected applicaton may log request headers in some cases of invalid HTTP requests. A remote user can reveal valid access tokens.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Reactor Netty: 1.0.11 - 1.0.23

External links
https://tanzu.vmware.com/security/cve-2022-31684

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Disconnected Log Collector

Multiple vulnerabilities in Red Hat Openshift Application Runtimes

Multiple vulnerabilities in IBM Security Guardium

Information disclosure in VMware Reactor Netty