CVE-2023-34062

In Reactor Netty HTTP Server a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack in maven/io.projectreactor.netty/reactor-netty-http

Identifiers

GHSA-xjhv-p3fv-x24r, CVE-2023-34062

Package Slug

maven/io.projectreactor.netty/reactor-netty-http

Vulnerability

In Reactor Netty HTTP Server a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack

Description

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.

Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

Affected Versions

All versions starting from 1.0.0 before 1.0.39, all versions starting from 1.1.0 before 1.1.13

Solution

Upgrade to versions 1.0.39, 1.1.13 or above.

Last Modified

2023-11-16

source