Bug 2250160 (CVE-2023-34062) - CVE-2023-34062 reactor-netty-http: directory traversal vulnerability
Summary: CVE-2023-34062 reactor-netty-http: directory traversal vulnerability
Keywords:
Status: NEW
Alias: CVE-2023-34062
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2250159
TreeView+ depends on / blocked
 
Reported: 2023-11-16 19:26 UTC by Robb Gatica
Modified: 2025-01-01 08:27 UTC (History)
38 users (show)

Fixed In Version: Reactor Netty 1.1.13, Reactor Netty 1.0.39
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2023-11-16 19:26:52 UTC 
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.

Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

https://spring.io/security/cve-2023-34062
Comment 1 Robb Gatica 2023-11-16 19:34:59 UTC 
depcli -a reactor-netty-http      
eap-7/reactor-netty-http=new
eap-8/reactor-netty-http=new
eap-xp/reactor-netty-http=new
fuse-7/reactor-netty-http=new
rhint-camel-k-1/reactor-netty-http=new
rhint-camel-spring-boot-3/reactor-netty-http=new
rhint-camel-spring-boot-4/reactor-netty-http=new
rhint-debezium-2/reactor-netty-http=new
rhos_devspaces-3/devspaces-pluginregistry-rhel8-container=new
Note You need to log in before you can comment on or make changes to this bug.