来源:Spring系列官网
发布日期:2020-02-27
阅读次数:1000
评论:0
更新标题
CVE-2020-5404: Authentication Leak On Redirect With Reactor Netty HttpClient
更新详情
CVE-2020-5404: Authentication Leak On Redirect With Reactor Netty HttpClient
SeverityMediumVendorPivotalVersions AffectedDescriptionReactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.Affected Pivotal Products and VersionsReactor Netty0.9 to 0.9.40.8 to 0.8.15MitigationUsers of affected versions should apply the following mitigation: 0.9.x users should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5), 0.8.x users should upgrade to 0.8.16 (reactor-bom Californium SR-16). Note: Reactor Netty 0.9.5 and 0.8.16 depend on Netty 4.1.45+. Spring Boot applications should upgrade to 2.2.5 or 2.1.13 to use the above versions. No other steps are necessary. In some cases, after upgrading, applications may experience authentication failures following a redirect to a different domain. If this happens applications may then need to explicitly configure the Reactor Netty HttpClient with a redirect request handler. Releases that have fixed this issue include:Reactor Netty0.8.160.9.5CreditThis issue was identified and responsibly reported by Ludwig Bedacht and Daniel Spruth from Volkswagen Group IT Services GmbH.Referenceshttps://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:NHistory2020-02-27: Initial vulnerability report published.
软件描述
Spring框架是一个开放源代码的J2EE应用程序框架,由Rod Johnson发起,是针对bean的生命周期进行管理的轻量级容器(lightweight container)。
评论