The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects. External Reference: https://tanzu.vmware.com/security/cve-2020-5404
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5404
A word on scoring, our scoring is currently 6.5/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N and NVD of 7.6/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N will change to 5.9/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N My take: Exploitability Metrics: Attack Vector Network (AV:N) - Agree here, reactor netty is bound to the network stack as either a client or server, in this instance only the client functionality is vulnerable [1] Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H): We disagree with the scoring of a low attack complexity, we believe the impact is significantly different depending on the specific applications handling, that is to say a successful attack depends on conditions beyond the attacker's control, we believe those conditions are - *) The attack has the prerequisite of a http redirect to a resource controlled by the attacker, in other words the attacker must inject themselves into the logical network path between the target and the resource. Privileges Required Low (PR:L) - Agree here, in order to have a high impact on confidentiality the user will need to be authenticated on the system target by the attacker User Interaction Required (UI:R) -> User Interaction None (UI:N) We disagree with the original scoring of user interaction required, if the attacker is able to inject themselves into the logical network path and cause a redirect to a resource they control, no user interaction would be required, the client itself needs to explicitly enable redirection but this is application configuration and should not be considered in scoring. Scope Changed (S:C) -> Scope Unchanged (S:U) We disagree with the original scoring of scope changed, although the vulnerable client may expose authorization credentials, as suggested by privileges being required, those credentials are of the same security authority [2] Impact Metrics: Confidentiality High (C:H) We agree with the original scoring of high impact of confidentiality, information disclosed might include security headers which allow an attacker to hijack an authenticated and valid session. This means the disclosed information presents a direct, serious impact. Integrity Low (I:L) We agree with the original scoring of low impact of integrity, the attacker is able to modify some data but this does not constitute a complete loss of protection. Availability High (A:N) Agree here, this flaw has no direct impact upon availability of the impacted component
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2022:8761 https://access.redhat.com/errata/RHSA-2022:8761