VMware offers training and certification to turbo-charge your progress.Learn more
Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
Users of affected versions should apply the following mitigation: 0.9.x users should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5), 0.8.x users should upgrade to 0.8.16 (reactor-bom Californium SR-16). Note: Reactor Netty 0.9.5 and 0.8.16 depend on Netty 4.1.45+. Spring Boot applications should upgrade to 2.2.5 or 2.1.13 to use the above versions. No other steps are necessary. In some cases, after upgrading, applications may experience authentication failures following a redirect to a different domain. If this happens applications may then need to explicitly configure the Reactor Netty HttpClient with a redirect request handler. Releases that have fixed this issue include:
This issue was identified and responsibly reported by Ludwig Bedacht and Daniel Spruth from Volkswagen Group IT Services GmbH.