CVE-2019-11284: Insufficiently Protected Credentials

October 23, 2019 (updated August 18, 2021)

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

References

github.com/advisories/GHSA-j52r-xc68-q8f4
nvd.nist.gov/vuln/detail/CVE-2019-11284
pivotal.io/security/cve-2019-11284

Detect and mitigate CVE-2019-11284 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →