Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreReactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
Reactor Netty:
| Fix version | Availability |
|---|---|
| 0.9.5 | OSS |
| 0.8.16 | OSS |
Note: Reactor Netty 0.9.5 and 0.8.16 depend on Netty 4.1.45+. Spring Boot applications should upgrade to 2.2.5 or 2.1.13 to use the above versions. No other steps are necessary. In some cases, after upgrading, applications may experience authentication failures following a redirect to a different domain. If this happens applications may then need to explicitly configure the Reactor Netty HttpClient with a redirect request handler.
This issue was identified and responsibly reported by Ludwig Bedacht and Daniel Spruth from Volkswagen Group IT Services GmbH.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy