DoS Via Malformed URL with Reactor Netty HTTP Server

MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5403

Description

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.

Affected Spring Products and Versions

Reactor Netty:

  • 0.9.4 - 0.9.4
  • 0.9.3 and earlier

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
0.9.5OSS
0.9.5OSS

No further mitigation steps are necessary.

Credit

This issue was identified and responsibly reported by Wojciech Kuranowski.

History

  • 2020-02-27: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all