CVE-2022-31684
Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens
4.3
MEDIUM
CVSS 3.1
EPSS 0.42%
Description
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may request log headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
How to fix CVE-2022-31684
To remediate CVE-2022-31684, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.24 or later
Is CVE-2022-31684 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.0.11, < 1.0.24
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |